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With  the  advent  of  powerful  computing  tools  and  numerous  advances  in  math¬ 
ematics,  computer  science  and  cryptography,  algorithmic  number  theory  has 
become  an  important  subject  in  its  own  right.  Both  external  and  internal 
pressures  gave  a  powerful  impetus  to  the  development  of  more  powerful  al¬ 
gorithms.  These  in  turn  led  to  a  large  number  of  spectacular  breakthroughs. 
To  mention  but  a  few,  the  LLL  algorithm  which  has  a  wide  range  of  appli¬ 
cations,  including  real  world  applications  to  integer  programming,  primality 
testing  and  factoring  algorithms,  sub-exponential  class  group  and  regulator 
algorithms,  etc  . . . 

Several  books  exist  which  treat  parts  of  this  subject.  (It  is  essentially 
impossible  for  an  author  to  keep  up  with  the  rapid  pace  of  progress  in  all 
areas  of  this  subject.)  Each  book  emphasizes  a  different  area,  corresponding 
to  the  author’s  tastes  and  interests.  The  most  famous,  but  unfortunately  the 
oldest,  is  Knuth’s  Art  of  Computer  Programming ,  especially  Chapter  4. 

The  present  book  has  two  goals.  First,  to  give  a  reasonably  comprehensive 
introductory  course  in  computational  number  theory.  In  particular,  although 
we  study  some  subjects  in  great  detail,  others  are  only  mentioned,  but  with 
suitable  pointers  to  the  literature.  Hence,  we  hope  that  this  book  can  serve 
as  a  first  course  on  the  subject.  A  natural  sequel  would  be  to  study  more 
specialized  subjects  in  the  existing  literature. 

The  prerequisites  for  reading  this  book  are  contained  in  introductory  texts 
in  number  theory  such  as  Hardy  and  Wright  [H-W]  and  Borevitch  and  Shafare- 
vitch  [Bo-Sh] .  The  reader  also  needs  some  feeling  or  taste  for  algorithms  and 
their  implementation.  To  make  the  book  as  self-contained  as  possible,  the  main 
definitions  are  given  when  necessary.  However,  it  would  be  more  reasonable  for 
the  reader  to  first  acquire  some  basic  knowledge  of  the  subject  before  studying 
the  algorithmic  part.  On  the  other  hand,  algorithms  often  give  natural  proofs 
of  important  results,  and  this  nicely  complements  the  more  theoretical  proofs 
which  may  be  given  in  other  books. 

The  second  goal  of  this  course  is  practicality.  The  author’s  primary  in¬ 
tentions  were  not  only  to  give  fundamental  and  interesting  algorithms,  but 
also  to  concentrate  on  practical  aspects  of  the  implementation  of  these  algo¬ 
rithms.  Indeed,  the  theory  of  algorithms  being  not  only  fascinating  but  rich, 
can  be  (somewhat  arbitrarily)  split  up  into  four  closely  related  parts.  The  first 
is  the  discovery  of  new  algorithms  to  solve  particular  problems.  The  second  is 
the  detailed  mathematical  analysis  of  these  algorithms.  This  is  usually  quite 
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mathematical  in  nature,  and  quite  often  intractable,  although  the  algorithms 
seem  to  perform  rather  well  in  practice.  The  third  task  is  to  study  the  com¬ 
plexity  of  the  problem.  This  is  where  notions  of  fundamental  importance  in 
complexity  theory  such  as  NP-completeness  come  in.  The  last  task,  which 
some  may  consider  the  least  noble  of  the  four,  is  to  actually  implement  the 
algorithms.  But  this  task  is  of  course  as  essential  as  the  others  for  the  actual 
resolution  of  the  problem. 

In  this  book  we  give  the  algorithms,  the  mathematical  analysis  and  in 
some  cases  the  complexity,  without  proofs  in  some  cases,  especially  when  it 
suffices  to  look  at  the  existing  literature  such  as  Knuth’s  book.  On  the  other 
hand,  we  have  usually  tried  as  carefully  as  we  could,  to  give  the  algorithms 
in  a  ready  to  program  form-in  as  optimized  a  form  as  possible.  This  has  the 
drawback  that  some  algorithms  are  unnecessarily  clumsy  (this  is  unavoidable 
if  one  optimizes),  but  has  the  great  advantage  that  a  casual  user  of  these 
algorithms  can  simply  take  them  as  written  and  program  them  in  his/her 
favorite  programming  language.  In  fact,  the  author  himself  has  implemented 
almost  all  the  algorithms  of  this  book  in  the  number  theory  package  PARI 
(see  Appendix  A). 

The  approach  used  here  as  well  as  the  style  of  presentation  of  the  algo¬ 
rithms  is  similar  to  that  of  Knuth  (analysis  of  algorithms  excepted),  and  is 
also  similar  in  spirit  to  the  book  of  Press  et  al  [PFTV]  Numerical  Recipes  (in 
Fortran,  Pascal  or  C),  although  the  subject  matter  is  completely  different. 

For  the  practicality  criterion  to  be  compatible  with  a  book  of  reasonable 
size,  some  compromises  had  to  be  made.  In  particular,  on  the  mathematical 
side,  many  proofs  are  not  given,  especially  when  they  can  easily  be  found 
in  the  literature.  From  the  computer  science  side,  essentially  no  complexity 
results  are  proved,  although  the  important  ones  are  stated. 

The  book  is  organized  as  follows.  The  first  chapter  gives  the  fundamental 
algorithms  that  are  constantly  used  in  number  theory,  in  particular  algorithms 
connected  with  powering  modulo  N  and  with  the  Euclidean  algorithm. 

Many  number-theoretic  problems  require  algorithms  from  linear  algebra 
over  a  field  or  over  Z.  This  is  the  subject  matter  of  Chapter  2.  The  highlights 
of  this  chapter  are  the  Hermite  and  Smith  normal  forms,  and  the  fundamental 
LLL  algorithm. 

In  Chapter  3  we  explain  in  great  detail  the  Berlekamp-Cantor-Zassenhaus 
methods  used  to  factor  polynomials  over  finite  fields  and  over  Q,  and  we  also 
give  an  algorithm  for  finding  all  the  complex  roots  of  a  polynomial. 

Chapter  4  gives  an  introduction  to  the  algorithmic  techniques  used  in 
number  fields,  and  the  basic  definitions  and  results  about  algebraic  numbers 
and  number  fields.  The  highlights  of  these  chapters  are  the  use  of  the  Hermite 
Normal  Form  representation  of  modules  and  ideals,  an  algorithm  due  to  Diaz 
y  Diaz  and  the  author  for  finding  “simple”  polynomials  defining  a  number 
field,  and  the  subfield  and  field  isomorphism  problems. 
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Quadratic  fields  provide  an  excellent  testing  and  training  ground  for  the 
techniques  of  algorithmic  number  theory  (and  for  algebraic  number  theory 
in  general).  This  is  because  although  they  can  easily  be  generated,  many 
non-trivial  problems  exist,  most  of  which  are  unsolved  (are  there  infinitely 
many  real  quadratic  fields  with  class  number  1?).  They  are  studied  in  great 
detail  in  Chapter  5.  In  particular,  this  chapter  includes  recent  advances  on  the 
efficient  computation  in  class  groups  of  quadratic  fields  (Shanks’s  NUCOMP 
as  modified  by  Atkin),  and  sub-exponential  algorithms  for  computing  class 
groups  and  regulators  of  quadratic  fields  (McCurley-Hafner,  Buchmann) . 

Chapter  6  studies  more  advanced  topics  in  computational  algebraic  num¬ 
ber  theory.  We  first  give  an  efficient  algorithm  for  computing  integral  bases 
in  number  fields  (Zassenhaus’s  round  2  algorithm),  and  a  related  algorithm 
which  allows  us  to  compute  explicitly  prime  decompositions  in  field  exten¬ 
sions  as  well  as  valuations  of  elements  and  ideals  at  prime  ideals.  Then,  for 
number  fields  of  degree  less  than  or  equal  to  7  we  give  detailed  algorithms 
for  computing  the  Galois  group  of  the  Galois  closure.  We  also  study  in  some 
detail  certain  classes  of  cubic  fields.  This  chapter  concludes  with  a  general 
algorithm  for  computing  class  groups  and  units  in  general  number  fields.  This 
is  a  generalization  of  the  sub-exponential  algorithms  of  Chapter  5,  and  works 
quite  well.  For  other  approaches,  I  refer  to  [Poh-Zas]  and  to  a  forthcoming 
paper  of  J.  Buchmann.  This  subject  is  quite  involved  so,  unlike  most  other 
situations  in  this  book,  I  have  not  attempted  to  give  an  efficient  algorithm, 
just  one  which  works  reasonably  well  in  practice. 

Chapters  1  to  6  may  be  thought  of  as  one  unit  and  describe  many  of  the 
most  interesting  aspects  of  the  theory.  These  chapters  are  suitable  for  a  two 
semester  graduate  (or  even  a  senior  undergraduate)  level  course  in  number 
theory.  Chapter  6,  and  in  particular  the  class  group  and  unit  algorithm,  can 
certainly  be  considered  as  a  climax  of  the  first  part  of  this  book. 

A  number  theorist,  especially  in  the  algorithmic  field,  must  have  a  mini¬ 
mum  knowledge  of  elliptic  curves.  This  is  the  subject  of  chapter  7.  Excellent 
books  exist  about  elliptic  curves  (for  example  [Sil]  and  [Sil3]),  but  our  aim  is 
a  little  different  since  we  are  primarily  concerned  with  applications  of  elliptic 
curves.  But  a  minimum  amount  of  culture  is  also  necessary,  and  so  the  flavor 
of  this  chapter  is  quite  different  from  the  others  chapters.  In  the  first  three  sec¬ 
tions,  we  give  the  essential  definitions,  and  we  give  the  basic  and  most  striking 
results  of  the  theory,  with  no  pretense  to  completeness  and  no  algorithms. 

The  theory  of  elliptic  curves  is  one  of  the  most  marvelous  mathematical 
theories  of  the  twentieth  century,  and  abounds  with  important  conjectures. 
They  are  also  mentioned  in  these  sections.  The  last  sections  of  Chapter  7, 
give  a  number  of  useful  algorithms  for  working  on  elliptic  curves,  with  little 
or  no  proofs. 

The  reader  is  warned  that,  apart  from  the  material  necessary  for  later 
chapters,  Chapter  7  needs  a  much  higher  mathematical  background  than  the 
other  chapters.  It  can  be  skipped  if  necessary  without  impairing  the  under¬ 
standing  of  the  subsequent  chapters. 
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Chapter  8  (whose  title  is  borrowed  from  a  talk  of  Hendrik  Lenstra)  consid¬ 
ers  the  techniques  used  for  primality  testing  and  factoring  prior  to  the  1970’s, 
with  the  exception  of  the  continued  fraction  method  of  Brillhart-Morrison 
which  belongs  in  Chapter  10. 

Chapter  9  explains  the  theory  and  practice  of  the  two  modern  primal¬ 
ity  testing  algorithms,  the  Adleman-Pomerance-Rumely  test  as  modified  by 
H.  W.  Lenstra  and  the  author,  which  uses  Fermat’s  (little)  theorem  in  cyclo- 
tomic  fields,  and  Atkin’s  test  which  uses  elliptic  curves  with  complex  multi¬ 
plication. 

Chapter  10  is  devoted  to  modern  factoring  methods,  i.e.  those  which  run 
in  sub-exponential  time,  and  in  particular  to  the  Elliptic  Curve  Method  of 
Lenstra,  the  Multiple  Polynomial  Quadratic  Sieve  of  Pomerance  and  the  Num¬ 
ber  Field  Sieve  of  Pollard.  Since  many  of  the  methods  described  in  Chapters 
9  and  10  are  quite  complex,  it  is  not  reasonable  to  give  ready-to-program  al¬ 
gorithms  as  in  the  preceding  chapters,  and  the  implementation  of  any  one  of 
these  complex  methods  can  form  the  subject  of  a  three  month  student  project. 

In  Appendix  A,  we  describe  what  a  serious  user  should  know  about  com¬ 
puter  packages  for  number  theory.  The  reader  should  keep  in  mind  that  the 
author  of  this  book  is  biased  since  he  has  written  such  a  package  himself  (this 
package  being  available  without  cost  by  anonymous  ftp). 

Appendix  B  has  a  number  of  tables  which  we  think  may  useful  to  the 
reader.  For  example,  they  can  be  used  to  check  the  correctness  of  the  imple¬ 
mentation  of  certain  algorithms. 

What  I  have  tried  to  cover  in  this  book  is  so  large  a  subject  that,  neces¬ 
sarily,  it  cannot  be  treated  in  as  much  detail  as  I  would  have  liked.  For  further 
reading,  I  suggest  the  following  books. 

For  Chapters  1  and  3,  [Knul]  and  [Knu2].  This  is  the  bible  for  algorithm 
analysis.  Note  that  the  sections  on  primality  testing  and  factoring  are  out¬ 
dated.  Also,  algorithms  like  the  LLL  algorithm  which  did  not  exist  at  the 
time  he  wrote  are,  obviously,  not  mentioned.  The  recent  book  [GCL]  contains 
essentially  all  of  our  Chapter  3,  as  well  as  many  more  polynomial  algorithms 
which  we  have  not  covered  in  this  book  such  as  Grobner  bases  computation. 

For  Chapters  4  and  5,  [Bo-Sh],  [Mar]  and  [Ire-Ros].  In  particular,  [Mar] 
and  [Ire-Ros]  contain  a  large  number  of  practical  exercises,  which  are  not  far 
from  the  spirit  of  the  present  book,  [Ire-Ros]  being  more  advanced. 

For  Chapter  6,  [Poh-Zas]  contains  a  large  number  of  algorithms,  and  treats 
in  great  detail  the  question  of  computing  units  and  class  groups  in  general 
number  fields.  Unfortunately  the  presentation  is  sometimes  obscured  by  quite 
complicated  notations,  and  a  lot  of  work  is  often  needed  to  implement  the 
algorithms  given  there. 

For  Chapter  7,  [Sil]  and  [Sil3]  are  excellent  books,  and  contain  numerous 
exercises.  Another  good  reference  is  [Hus],  as  well  as  [Ire-Ros]  for  material  on 
zeta- functions  of  varieties.  The  algorithmic  aspect  of  elliptic  curves  is  beauti¬ 
fully  treated  in  [Cre] ,  which  I  also  heartily  recommend. 
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For  Chapters  8  to  10,  the  best  reference  to  date,  in  addition  to  [Knu2],  is 
[Rie].  In  addition,  Riesel  has  several  chapters  on  prime  number  theory. 

Note  on  the  exercises.  The  exercises  have  a  wide  range  of  difficulty, 
from  extremely  easy  to  unsolved  research  problems.  Many  are  actually  imple¬ 
mentation  problems,  and  hence  not  mathematical  in  nature.  No  attempt  has 
been  made  to  grade  the  level  of  difficulty  of  the  exercises  as  in  Knuth,  except 
of  course  that  unsolved  problems  are  mentioned  as  such.  The  ordering  follows 
roughly  the  corresponding  material  in  the  text. 

WARNING.  Almost  all  of  the  algorithms  given  in  this  book  have  been 
programmed  by  the  author  and  colleagues,  in  particular  as  a  part  of  the  Pari 
package.  The  programming  has  not  however,  always  been  synchronized  with 
the  writing  of  this  book,  so  it  may  be  that  some  algorithms  are  incorrect,  and 
others  may  contain  slight  typographical  errors  which  of  course  also  invalidate 
them.  Hence,  the  author  and  Springer- Verlag  do  not  assume  any  responsibility 
for  consequences  which  may  directly  or  indirectly  occur  from  the  use  of  the 
algorithms  given  in  this  book.  Apart  from  the  preceding  legalese,  the  author 
would  appreciate  corrections,  improvements  and  so  forth  to  the  algorithms 
given,  so  that  this  book  may  improve  if  further  editions  are  printed.  The 
simplest  is  to  send  an  e-mail  message  to 

cohenQmath . u-bordeaux . f r 

or  else  to  write  to  the  author’s  address.  In  addition,  a  regularly  updated 
errata  file  is  available  by  anonymous  ftp  from  megrez.math.u-bordeaux.fr 
(147.210. 16. 17),  directory  pub/cohenbook. 
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Chapter  1 

Fundamental  Number-Theoretic  Algorithms 


1.1  Introduction 

This  book  describes  in  detail  a  number  of  algorithms  used  in  algebraic  number 
theory  and  the  theory  of  elliptic  curves.  It  also  gives  applications  to  problems 
such  as  factoring  and  primality  testing.  Although  the  algorithms  and  the  the¬ 
ory  behind  them  are  sufficiently  interesting  in  themselves,  I  strongly  advise 
the  reader  to  take  the  time  to  implement  them  on  her/his  favorite  machine. 
Indeed,  one  gets  a  feel  for  an  algorithm  mainly  after  executing  it  several  times. 
(This  book  does  help  by  providing  many  tricks  that  will  be  useful  for  doing 
this.) 

We  give  the  necessary  background  on  number  fields  and  classical  algebraic 
number  theory  in  Chapter  4,  and  the  necessary  prerequisites  on  elliptic  curves 
in  Chapter  7.  This  chapter  shows  you  some  basic  algorithms  used  almost 
constantly  in  number  theory.  The  best  reference  here  is  [Knu2] . 


1.1.1  Algorithms 

Before  we  can  describe  even  the  simplest  algorithms,  it  is  necessary  to  pre¬ 
cisely  define  a  few  notions.  However,  we  will  do  this  without  entering  into  the 
sometimes  excessively  detailed  descriptions  used  in  Computer  Science.  For  us, 
an  algorithm  will  be  a  method  which,  given  certain  types  of  inputs,  gives  an 
answer  after  a  finite  amount  of  time. 

Several  things  must  be  considered  when  one  describes  an  algorithm.  The 
first  is  to  prove  that  it  is  correct,  i.e.  that  it  gives  the  desired  result  when 
it  stops.  Then,  since  we  are  interested  in  practical  implementations,  we  must 
give  an  estimate  of  the  algorithm’s  running  time,  if  possible  both  in  the  worst 
case,  and  on  average.  Here,  one  must  be  careful:  the  running  time  will  always 
be  measured  in  bit  operations ,  i.e.  logical  or  arithmetic  operations  on  zeros  and 
ones.  This  is  the  most  realistic  model,  if  one  assumes  that  one  is  using  real 
computers,  and  not  idealized  ones.  Third,  the  space  requirement  (measured  in 
bits)  must  also  be  considered.  In  many  algorithms,  this  is  negligible,  and  then 
we  will  not  bother  mentioning  it.  In  certain  algorithms  however,  it  becomes 
an  important  issue  which  has  to  be  addressed. 

First,  some  useful  terminology:  The  size  of  the  inputs  for  an  algorithm  will 
usually  be  measured  by  the  number  of  bits  that  they  require.  For  example, 
the  size  of  a  positive  integer  N  is  [IgA]  +  1  (see  below  for  notations).  We 
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will  say  that  an  algorithm  is  linear ,  quadratic  or  polynomial  time  if  it  requires 
time  O(lniV),  0(\n2N),  0(P(\nN))  respectively,  where  P  is  a  polynomial.  If 
the  time  required  is  0(Na),  we  say  that  the  algorithm  is  exponential  time. 
Finally,  many  algorithms  have  some  intermediate  running  time,  for  example 

C  v/ln  N  In  In  N 

which  is  the  approximate  expected  running  time  of  many  factoring  algorithms 
and  of  recent  algorithms  for  computing  class  groups.  In  this  case  we  say  that 
the  algorithm  is  sub-exponential. 

The  definition  of  algorithm  which  we  have  given  above,  although  a  little 
vague,  is  often  still  too  strict  for  practical  use.  We  need  also  probabilistic 
algorithms ,  which  depend  on  a  source  of  random  numbers.  These  “algorithms” 
should  in  principle  not  be  called  algorithms  since  there  is  a  possibility  (of 
probability  zero)  that  they  do  not  terminate.  Experience  shows,  however,  that 
probabilistic  algorithms  are  usually  more  efficient  than  non-probabilistic  ones; 
in  many  cases  they  are  even  the  only  ones  available. 

Probabilistic  algorithms  should  not  be  mistaken  with  methods  (which  I 
refuse  to  call  algorithms),  which  produce  a  result  which  has  a  high  probability 
of  being  correct.  It  is  essential  that  an  algorithm  produces  correct  results 
(discounting  human  or  computer  errors),  even  if  this  happens  after  a  very 
long  time.  A  typical  example  of  a  non-algorithmic  method  is  the  following: 
suppose  N  is  large  and  you  suspect  that  it  is  prime  (because  it  is  not  divisible 
by  small  numbers).  Then  you  can  compute 

2JV_1  mod  N 

using  the  powering  Algorithm  1.2.1  below.  If  it  is  not  1  mod  AT,  then  this 
proves  that  N  is  not  prime  by  Fermat’s  theorem.  On  the  other  hand,  if  it  is 
equal  to  1  mod  N,  there  is  a  very  good  chance  that  N  is  indeed  a  prime.  But 
this  is  not  a  proof,  hence  not  an  algorithm  for  primality  testing  (the  smallest 
counterexample  is  N  =  341). 

Another  point  to  keep  in  mind  for  probabilistic  algorithms  is  that  the  idea 
of  absolute  running  time  no  longer  makes  much  sense.  This  is  replaced  by  the 
notion  of  expected  running  time,  which  is  self-explanatory. 


1.1.2  Multi-precision 

Since  the  numbers  involved  in  our  algorithms  will  almost  always  become  quite 
large,  a  prerequisite  to  any  implementation  is  some  sort  of  multi-precision 
package.  This  package  should  be  able  to  handle  numbers  having  up  to  1000 
decimal  digits.  Such  a  package  is  easy  to  write,  and  one  is  described  in  detail  in 
Riesel’s  book  ([Rie]).  One  can  also  use  existing  packages  or  languages,  such  as 
Axiom,  Bignum,  Derive,  Gmp,  Lisp,  Macsyma,  Magma,  Maple,  Mathematica, 
Pari,  Reduce,  or  Ubasic  (see  Appendix  A).  Even  without  a  multi-precision 
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package,  some  algorithms  can  be  nicely  tested,  but  their  scope  becomes  more 
limited. 

The  pencil  and  paper  method  for  doing  the  usual  operations  can  be  imple¬ 
mented  without  difficulty.  One  should  not  use  a  base-10  representation,  but 
rather  a  base  suited  to  the  computer’s  hardware. 

Such  a  bare-bones  multi-precision  package  must  include  at  the  very  least: 

•  Addition  and  subtraction  of  two  n-bit  numbers  (time  linear  in  n). 

•  Multiplication  and  Euclidean  division  of  two  n-bit  numbers  (time  linear 
in  n2). 

•  Multiplication  and  division  of  an  n-bit  number  by  a  short  integer  (time 
linear  in  n).  Here  the  meaning  of  short  integer  depends  on  the  machine.  Usually 
this  means  a  number  of  absolute  value  less  than  215  ,  231,  235  or  263. 

•  Left  and  right  shifts  of  an  n  bit  number  by  small  integers  (time  linear 
in  n). 

•  Input  and  output  of  an  n-bit  number  (time  linear  in  n  or  in  n2  depending 
whether  the  base  is  a  power  of  10  or  not). 

Remark.  Contrary  to  the  choice  made  by  some  systems  such  as  Maple,  I 
strongly  advise  using  a  power  of  2  as  a  base,  since  usually  the  time  needed  for 
input/output  is  only  a  very  small  part  of  the  total  time,  and  it  is  also  often 
dominated  by  the  time  needed  for  physical  printing  or  displaying  the  results. 

There  exist  algorithms  for  multiplication  and  division  which  as  n  gets 
large  are  much  faster  than  0(n2),  the  best,  due  to  Schonhage  and  Strassen, 
running  in  0(n  Inn  In  Inn)  bit  operations.  Since  we  will  be  working  mostly 
with  numbers  of  up  to  roughly  100  decimal  digits,  it  is  not  worthwhile  to 
implement  these  more  sophisticated  algorithms.  (These  algorithms  become 
practical  only  for  numbers  having  more  than  several  hundred  decimal  digits.) 
On  the  other  hand,  simpler  schemes  such  as  the  method  of  Karatsuba  (see 
[Knu2]  and  Exercise  2)  can  be  useful  for  much  smaller  numbers. 

The  times  given  above  for  the  basic  operations  should  constantly  be  kept 
in  mind. 

Implementation  advice.  For  people  who  want  to  write  their  own  bare- 
bones  multi-precision  package  as  described  above,  by  far  the  best  reference 
is  [Knu2]  (see  also  [Rie]).  A  few  words  of  advice  are  however  necessary.  A 
priori,  one  can  write  the  package  in  one’s  favorite  high  level  language.  As 
will  be  immediately  seen,  this  limits  the  multi-precision  base  to  roughly  the 
square  root  of  the  word  size.  For  example,  on  a  typical  32  bit  machine,  a 
high  level  language  will  be  able  to  multiply  two  16-bit  numbers,  but  not  two 
32-bit  ones  since  the  result  would  not  fit.  Since  the  multiplication  algorithm 
used  is  quadratic,  this  immediately  implies  a  loss  of  a  factor  4,  which  in  fact 
usually  becomes  a  factor  of  8  or  10  compared  to  what  could  be  done  with  the 
machine’s  central  processor.  This  is  intolerable.  Another  alternative  is  to  write 
everything  in  assembly  language.  This  is  extremely  long  and  painful,  usually 
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bug-ridden,  and  in  addition  not  portable,  but  at  least  it  is  fast.  This  is  the 
solution  used  in  systems  such  as  Pari  and  IJbasic,  which  are  much  faster  than 
their  competitors  when  it  comes  to  pure  number  crunching. 

There  is  a  third  possibility  which  is  a  reasonable  compromise.  Declare 
global  variables  (known  to  all  the  files,  including  the  assembly  language  files 
if  any)  which  we  will  call  remainder  and  overflow  say. 

Then  write  in  any  way  you  like  (in  assembly  language  or  as  high  level 
language  macros)  nine  functions  that  do  the  following.  Assume  a,b,c  are 
unsigned  word-sized  variables,  and  let  M  be  the  chosen  multi-precision  base, 
so  all  variables  will  be  less  than  M  (for  example  M=  232).  Then  we  need  the 
following  functions,  where  0  <  c  <  M  and  overflow  is  equal  to  0  or  1: 
c=add(a,b)  corresponding  to  the  formula  a+b=overf  low-M+c. 
c=addx(a,b)  corresponding  to  the  formula  a+b+overf  low=overf  low-M+c. 
c=sub(a,b)  corresponding  to  the  formula  a-b=c-overf  low-M. 
c=subx(a,b)  corresponding  to  the  formula  a-b-overflow=c-overf  low-M. 
c=mul(a,b)  corresponding  to  the  formula  a-b=remainder-M+c, 
in  other  words  c  contains  the  low  order  part  of  the  product,  and  remainder 
the  high  order  part. 

c=div(a,b)  corresponding  to  the  formula  remainder-M+a=b-c+remainder, 
where  we  may  assume  that  remainder<b. 

For  the  last  three  functions  we  assume  that  M  is  equal  to  a  power  of  2,  say 
M  =  2m. 

c=shiftl(a,k)  corresponding  to  the  formula  2ka=remainder-M+c. 
c=shiftr  (a,k)  corresponding  to  the  formula  a-M/2k=c-M+remainder, 
where  we  assume  for  these  last  two  functions  that  0  <  k  <  m. 
k=bfffo(a)  corresponding  to  the  formula  M/2  <  2ka  <  M,  i.e.  k  = 
[lg(M/(2a))]  when  a  ^  0,  k  =  m  when  a  =  0. 

The  advantage  of  this  scheme  is  that  the  rest  of  the  multi-precision  package 
can  be  written  in  a  high  level  language  without  much  sacrifice  of  speed,  and 
that  the  black  boxes  described  above  are  short  and  easy  to  write  in  assembly 
language.  The  portability  problem  also  disappears  since  these  functions  can 
easily  be  rewritten  for  another  machine. 

Knowledgeable  readers  may  have  noticed  that  the  functions  above  cor¬ 
respond  to  a  simulation  of  a  few  machine  language  instructions  of  the 
68020/68030/68040  processors.  It  may  be  worthwhile  to  work  at  a  higher 
level,  for  example  by  implementing  in  assembly  language  a  few  of  the  multi- 
precision  functions  mentioned  at  the  beginning  of  this  section.  By  doing  this 
to  a  limited  extent  one  can  avoid  many  debugging  problems.  This  also  avoids 
much  function  call  overhead,  and  allows  easier  optimizing.  As  usual,  the  price 
paid  is  portability  and  robustness. 

Remark.  One  of  the  most  common  operations  used  in  number  theory  is 
modular  multiplication,  i.e.  the  computation  of  a  ■  b  modulo  some  number  N, 
where  a  and  b  are  non-negative  integers  less  than  N.  This  can,  of  course, 
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be  trivially  done  using  the  formula  div(mul(a,b) ,N),  the  result  being  the 
value  of  remainder.  When  many  such  operations  are  needed  using  the  same 
modulus  N  (this  happens  for  example  in  most  factoring  methods,  see  Chapters 
8,  9  an  10),  there  is  a  more  clever  way  of  doing  this,  due  to  P.  Montgomery 
which  can  save  10  to  20  percent  of  the  running  time,  and  this  is  not  a  negligible 
saving  since  it  is  an  absolutely  basic  operation.  We  refer  to  his  paper  [Monl] 
for  the  description  of  this  method. 


1.1.3  Base  Fields  and  Rings 

Many  of  the  algorithms  that  we  give  (for  example  the  linear  algebra  algo¬ 
rithms  of  Chapter  2  or  some  of  the  algorithms  for  working  with  polynomials 
in  Chapter  3)  are  valid  over  any  base  ring  or  field  R  where  we  know  how  to 
compute.  We  must  emphasize  however  that  the  behavior  of  these  algorithms 
will  be  quite  different  depending  on  the  base  ring.  Let  us  look  at  the  most 
important  examples. 

The  simplest  rings  are  the  rings  R  =  Z/NZ,  especially  when  N  is  small. 
Operations  in  R  are  simply  operations  “modulo  N”  and  the  elements  of  R  can 
always  be  represented  by  an  integer  less  than  N,  hence  of  bounded  size.  Using 
the  standard  algorithms  mentioned  in  the  preceding  section,  and  a  suitable 
version  of  Euclid’s  extended  algorithm  to  perform  division  (see  Section  1.3.2), 
all  operations  need  only  0(ln2iV)  bit  operations  (in  fact  0(1)  since  N  is  con¬ 
sidered  as  fixed!).  An  important  special  case  of  these  rings  R  is  when  N  =  p 
is  a  prime,  and  then  R  =  Fp  the  finite  field  with  p  elements.  More  generally, 
it  is  easy  to  see  that  operations  on  any  finite  field  F9  with  q  =  pk  can  be  done 
quickly. 

The  next  example  is  that  of  R  =  Z.  In  many  algorithms,  it  is  possible  to 
give  an  upper  bound  N  on  the  size  of  the  numbers  to  be  handled.  In  this  case 
we  are  back  in  the  preceding  situation,  except  that  the  bound  N  is  no  longer 
fixed,  hence  the  running  time  of  the  basic  operations  is  really  0(ln2iV)  bit 
operations  and  not  0(1).  Unfortunately,  in  most  algorithms  some  divisions 
are  needed,  hence  we  are  no  longer  working  in  Z  but  rather  in  Q.  It  is  possible 
to  rewrite  some  of  these  algorithms  so  that  non-integral  rational  numbers 
never  occur  (see  for  example  the  Gauss-Bareiss  Algorithm  2.2.6,  the  integral 
LLL  Algorithm  2.6.7,  the  sub-resultant  Algorithms  3.3.1  and  3.3.7).  These 
versions  are  then  preferable. 

The  third  example  is  when  R  =  Q.  The  main  phenomenon  which  occurs 
in  practically  all  algorithms  here  is  “coefficient  explosion” .  This  means  that  in 
the  course  of  the  algorithm  the  numerator  and  denominators  of  the  rational 
numbers  which  occur  become  very  large;  their  size  is  almost  impossible  to 
control.  The  main  reason  for  this  is  that  the  numerator  and  denominator  of 
the  sum  or  difference  of  two  rational  numbers  is  usually  of  the  same  order 
of  magnitude  as  those  of  their  product.  Consequently  it  is  not  easy  to  give 
running  times  in  bit  operations  for  algorithms  using  rational  numbers. 
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The  fourth  example  is  that  of  JR  =  R  (or  R  =  C).  A  new  phenomenon 
occurs  here.  How  can  we  represent  a  real  number?  The  truthful  answer  is  that 
it  is  in  practice  impossible,  not  only  because  the  set  R  is  uncountable,  but  also 
because  it  will  always  be  impossible  for  an  algorithm  to  tell  whether  two  real 
numbers  are  equal,  since  this  requires  in  general  an  infinite  amount  of  time 
(on  the  other  hand  if  two  real  numbers  are  different,  it  is  possible  to  prove 
it  by  computing  them  to  sufficient  accuracy).  So  we  must  be  content  with 
approximations  (or  with  interval  arithmetic,  i.e.  we  give  for  each  real  number 
involved  in  an  algorithm  a  rational  lower  and  upper  bound),  increasing  the 
closeness  of  the  approximation  to  suit  our  needs.  A  nasty  specter  is  waiting  for 
us  in  the  dark,  which  has  haunted  generations  of  numerical  analysts:  numerical 
instability.  We  will  see  an  example  of  this  in  the  case  of  the  LLL  algorithm 
(see  Remark  (4)  after  Algorithm  2.6.3).  Since  this  is  not  a  book  on  numerical 
analysis,  we  do  not  dwell  on  this  problem,  but  it  should  be  kept  in  mind. 

As  far  as  the  bit  complexity  of  the  basic  operations  are  concerned,  since 
we  must  work  with  limited  accuracy  the  situation  is  analogous  to  that  of  Z 
when  an  upper  bound  N  is  known.  If  the  accuracy  used  for  the  real  number 
is  of  the  order  of  1/N,  the  number  of  bit  operations  for  performing  the  basic 
operations  is  0(ln2iV). 

Although  not  much  used  in  this  book,  a  last  example  I  would  like  to 
mention  is  that  of  R  =  Qp,  the  field  of  p-adic  numbers.  This  is  similar  to  the 
case  of  real  numbers  in  that  we  must  work  with  a  limited  precision,  hence  the 
running  times  are  of  the  same  order  of  magnitude.  Since  the  p-adic  valuation  is 
non- Archimedean,  i.e.  the  accuracy  of  the  sum  or  product  of  p-adic  numbers 
with  a  given  accuracy  is  at  least  of  the  same  accuracy,  the  phenomenon  of 
numerical  instability  essentially  disappears. 


1.1.4  Notations 

We  will  use  Knuth’s  notations,  which  have  become  a  de  facto  standard  in  the 
theory  of  algorithms.  Also,  some  algorithms  are  directly  adapted  from  Knuth 
(why  change  a  well  written  algorithm?).  However  the  algorithmic  style  of  writ¬ 
ing  used  by  Knuth  is  not  well  suited  to  structured  programming.  The  reader 
may  therefore  find  it  completely  straightforward  to  write  the  corresponding 
programs  in  assembly  language,  Basic  or  Fortran,  say,  but  may  find  it  slightly 
less  so  to  write  them  in  Pascal  or  in  C. 

A  warning:  presenting  an  algorithms  as  a  series  of  steps  as  is  done  in 
this  book  is  only  one  of  the  ways  in  which  an  algorithm  can  be  described. 
The  presentation  may  look  old-fashioned  to  some  readers,  but  in  the  author’s 
opinion  it  is  the  best  way  to  explain  all  the  details  of  an  algorithm.  In  particular 
it  is  perhaps  better  than  using  some  pseudo-Pascal  language  (pseudo-code). 
Of  course,  this  is  debatable,  but  this  is  the  choice  that  has  been  made  in  this 
book.  Note  however  that,  as  a  consequence,  the  reader  should  read  as  carefully 
as  possible  the  exact  phrasing  of  the  algorithm,  as  well  as  the  accompanying 
explanations,  to  avoid  any  possible  ambiguity.  This  is  particularly  true  in  if 
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(conditional)  expressions.  Some  additional  explanation  is  sometimes  added  to 
diminish  the  possibility  of  ambiguity.  For  example,  if  the  if  condition  is  not 
satisfied,  the  usual  word  used  is  otherwise.  If  if  expressions  are  nested,  one 
of  them  will  use  otherwise,  and  the  other  will  usually  use  else.  I  admit  that 
this  is  not  a  very  elegant  solution. 

A  typical  example  is  step  7  in  Algorithm  6.2.9.  The  initial  statement  If 
c  =  0  do  the  following:  implies  that  the  whole  step  will  be  executed  only 
if  c  =  0,  and  must  be  skipped  if  c  ^  0.  Then  there  is  the  expression  if 
j  =  i  followed  by  an  otherwise,  and  nested  inside  the  otherwise  clause  is 
another  if  dim(...)  <  n,  and  the  else  go  to  step  7  which  follows  refers  to 
this  last  if,  i.e.  we  go  to  step  7  if  dim(...)  >  n. 

I  apologize  to  the  reader  if  this  causes  any  confusion,  but  I  believe  that 
this  style  of  presentation  is  a  good  compromise. 

|_xj  denotes  the  floor  of  x ,  i.e.  the  largest  integer  less  than  or  equal  to  x. 
Thus  [3.4J  =3,  [-3.4J  =-4. 

fx]  denotes  the  ceiling  of  x,  i.e.  the  smallest  integer  greater  than  or  equal 
to  x.  We  have  \x]  =  —  [—  xj. 

[x]  denotes  an  integer  nearest  to  x,  i.e.  [x]  =  |x  +  1/2]. 

[a,  b[  denotes  the  real  interval  from  a  to  6  including  a  but  excluding  b.  Sim¬ 
ilarly  ]a,  b]  includes  b  and  excludes  a,  and  ]a,  b[  is  the  open  interval  excluding  a 
and  b.  (This  differs  from  the  American  notations  [a,  6),  (o,  b]  and  (a,  b)  which 
in  my  opinion  are  terrible.  In  particular,  in  this  book  (o,  b)  will  usually  mean 
the  GCD  of  a  and  6,  and  sometimes  the  ordered  pair  (o,6).) 

lgx  denotes  the  base  2  logarithm  of  x. 

If  E  is  a  finite  set,  \E\  denotes  the  cardinality  of  E. 

If  A  is  a  matrix,  A *  denotes  the  transpose  of  the  matrix  A.  A  1  x  n  (resp. 
n  x  1)  matrix  is  called  a  row  (resp.  column)  vector.  The  reader  is  warned  that 
many  authors  use  a  different  notation  where  the  transpose  sign  is  put  on  the 
left  of  the  matrix. 

If  a  and  b  are  integers  with  6^0,  then  except  when  explicitly  mentioned 
otherwise,  a  mod  b  denotes  the  non-negative  remainder  in  the  Euclidean  di¬ 
vision  of  a  by  6,  i.e.  the  unique  number  r  such  that  a  =  r  (mod  b)  and 
0  <  r  <  \b\. 

The  notation  d  |  n  means  that  d  divides  n,  while  d\\n  will  mean  that  d  \  n 
and  ( d,n/d )  =  1.  Furthermore,  the  notations  p  [  n  and  pa\\n  are  always  taken 
to  imply  that  p  is  prime,  so  for  example  pa\\n  means  that  pa  is  the  highest 
power  of  p  dividing  n. 

Finally,  if  a  and  6  are  elements  in  a  Euclidean  ring  (typically  Z  or  the 
ring  of  polynomials  over  a  field),  we  will  denote  the  greatest  common  divisor 
(abbreviated  GCD  in  the  text)  of  a  and  6  by  gcd(a,  6),  or  simply  by  (a,  b) 
when  there  is  no  risk  of  confusion. 
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1.2  The  Powering  Algorithms 

In  almost  every  non-trivial  algorithm  in  number  theory,  it  is  necessary  at 
some  point  to  compute  the  n-th  power  of  an  element  in  a  group,  where  n  may 
be  some  very  large  integer  (i.e.  for  instance  greater  than  lO100).  That  this 
is  actually  possible  and  very  easy  is  fundamental  and  one  of  the  first  things 
that  one  must  understand  in  algorithmic  number  theory.  These  algorithms 
are  general  and  can  be  used  in  any  group.  In  fact,  when  the  exponent  is  non¬ 
negative,  they  can  be  used  in  any  monoid  with  unit.  We  give  an  abstract 
version,  which  can  be  trivially  adapted  for  any  specific  situation. 

Let  ( G ,  x)  be  a  group.  We  want  to  compute  gn  for  g  E  G  and  n  E  Z  in  an 
efficient  manner.  Assume  for  example  that  n  >  0.  The  naive  method  requires 
n  — 1  group  multiplications.  We  can  however  do  much  better  (A  note:  although 
Gauss  was  very  proficient  in  hand  calculations,  he  seems  to  have  missed  this 
method.)  The  idea  is  as  follows.  If  n  =  Yi  ei2*  is  the  base  2  expansion  of  n 
with  Ci  =  0  or  1,  then 

= n  (/). 

€i  =  l 

hence  if  we  keep  track  in  an  auxiliary  variable  of  the  quantities  g2'  which  we 
compute  by  successive  squarings,  we  obtain  the  following  algorithm. 

Algorithm  1.2.1  (Right-Left  Binary).  Given  g  E  G  and  n  E  Z,  this  algorithm 
computes  gn  in  G.  We  write  1  for  the  unit  element  of  G. 

1.  [Initialize]  Set  y  *—  1.  If  n  =  0,  output  y  and  terminate.  If  n  <  0  let  N  < - n 

and  z  <—  g -1.  Otherwise,  set  N  <—  n  and  z  <—  g. 

2.  [Multiply?]  If  N  is  odd  set  y  <—  z  •  y. 

3.  [Halve  N]  Set  N  <—  [N/ 2J.  If  N  =  0,  output  y  as  the  answer  and  terminate 
the  algorithm.  Otherwise,  set  z  <—  z  ■  z  and  go  to  step  2. 

Examining  this  algorithm  shows  that  the  number  of  multiplication  steps 
is  equal  to  the  number  of  binary  digits  of  |n|  plus  the  number  of  ones  in  the 
binary  representation  of  |n|  minus  1.  So,  it  is  at  most  equal  to  2[lg  |n|J  +  1,  and 
on  average  approximately  equal  to  1.5  lg  |n|.  Hence,  if  one  can  compute  rapidly 
in  G,  it  is  not  unreasonable  to  have  exponents  with  several  million  decimal 
digits.  For  example,  if  G  =  (Z/mZ)*,  the  time  of  the  powering  algorithm  is 
0(ln2raln  |n|),  since  one  multiplication  in  G  takes  time  0(ln2m). 

The  validity  of  Algorithm  1.2.1  can  be  checked  immediately  by  noticing 
that  at  the  start  of  step  2  one  has  gn  =  y  •  zN .  This  corresponds  to  a  right- 
to-left  scan  of  the  binary  digits  of  |n|. 

We  can  make  several  changes  to  this  basic  algorithm.  First,  we  can  write 
a  similar  algorithm  based  on  a  left  to  right  scan  of  the  binary  digits  of  \n\. 
In  other  words,  we  use  the  formula  qn  =  fon/2)2  if  n  is  even  and  qn  =  a  • 
(. 9 (n-1)/2)2  if  n  is  odd. 
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This  assumes  however  that  we  know  the  position  of  the  leftmost  bit  of  |n| 
(or  that  we  have  taken  the  time  to  look  for  it  beforehand),  i.e.  that  we  know 
the  integer  e  such  that  2e  <  |n|  <  2e+1.  Such  an  integer  can  be  found  using  a 
standard  binary  search  on  the  binary  digits  of  n,  hence  the  time  taken  to  find 
it  is  0(lglgjn|),  and  this  is  completely  negligible  with  respect  to  the  other 
operations.  This  leads  to  the  following  algorithm. 

Algorithm  1.2.2  (Left- Right  Binary).  Given  g  €  G  and  n  €  Z,  this  algorithm 
computes  gn  in  G.  If  n  ^  0,  we  assume  also  given  the  unique  integer  e  such  that 
2e  <  |n|  <  2e+1.  We  write  1  for  the  unit  element  of  G. 

1.  [Initialize]  If  n  =  0,  output  1  and  terminate.  If  n  <  0  set  N  <—  —n  and 
z  <—  g~l.  Otherwise,  set  N  <—  n  and  z  <—  g.  Finally,  set  y  <—  z,  E  <—  2e, 
N  <—  N-E. 

2.  [Finished?]  If  E  =  1,  output  y  and  terminate  the  algorithm.  Otherwise,  set 
E  <-  E/2. 

3.  [Multiply?]  Set  y  <—  y  •  y  and  if  N  >  E,  set  N  <—  N  —  E  and  y  <—  y  •  z.  Go 
to  step  2. 

Note  that  E  takes  as  values  the  decreasing  powers  of  2  from  2e  down  to 
1,  hence  when  implementing  this  algorithm,  all  operations  using  E  must  be 
thought  of  as  bit  operations.  For  example,  instead  of  keeping  explicitly  the 
(large)  number  E,  one  can  just  keep  its  exponent  (which  will  go  from  e  down 
to  0).  Similarly,  one  does  not  really  subtract  E  from  N  or  compare  N  with 
E ,  but  simply  look  whether  a  particular  bit  of  N  is  0  or  not.  To  be  specific, 
assume  that  we  have  written  a  little  program  bit (JV,  /)  which  outputs  bit 
number  /  of  JV,  bit  0  being,  by  definition,  the  least  significant  bit.  Then  we 
can  rewrite  Algorithm  1.2.2  as  follows. 

Algorithm  1.2.3  (Left- Right  Binary,  Using  Bits).  Given  g  €  G  and  neZ, 
this  algorithm  computes  gn  in  G.  If  n  /  0,  we  assume  also  that  we  are  given  the 
unique  integer  e  such  that  2e  <  |n|  <  2e+1.  We  write  1  for  the  unit  element  of 
G. 

1.  [Initialize]  If  n  =  0,  output  1  and  terminate.  If  n  <  0  set  N  < - n  and 

z  Otherwise,  set  JV<— n  and  z<—  g.  Finally,  set  y  *—  z,  f  <—  e. 

2.  [Finished?]  If  /  =0,  output  y  and  terminate  the  algorithm.  Otherwise,  set 
/<-/-!■ 

3.  [Multiply?]  Set  y  <—  y  -y  and  if  bit(JV,  /)  =  1,  set  y  <—  y  •  z.  Go  to  step  2. 

The  main  advantage  of  this  algorithm  over  Algorithm  1.2.1  is  that  in  step 
3  above,  z  is  always  the  initial  g  (or  its  inverse  if  n  <  0).  Hence,  if  g  is 
represented  by  a  small  integer,  this  may  mean  a  linear  time  multiplication 
instead  of  a  quadratic  time  one.  For  example,  if  G  =  (Z/mZ)*  and  if  g  (or 
g  1  if  n  <  0)  is  represented  by  the  class  of  a  single  precision  integer,  the 
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running  time  of  Algorithms  1.2.2  and  1.2.3  will  be  in  average  up  to  1.5  times 
faster  than  Algorithm  1.2.1. 

Algorithm  1.2.3  can  be  improved  by  making  use  of  the  representation  of 
|n|  in  a  base  equal  to  a  power  of  2,  instead  of  base  2  itself.  In  this  case,  only 
the  left-right  version  exists. 

This  is  done  as  follows  (we  may  assume  n  >  0).  Choose  a  suitable  positive 
integer  k  (we  will  see  in  the  analysis  how  to  choose  it  optimally).  Precompute 
g2  and  by  induction  the  odd  powers  <?3,  gb,  . . .,  g2  _1,  and  initialize  y  to  g 
as  in  Algorithm  1.2.3.  Now  if  we  scan  the  2*-representation  of  |n|  from  left 
to  right  (i.e.  k  bits  at  a  time  of  the  binary  representation),  we  will  encounter 
digits  a  in  base  2k,  hence  such  that  0  <  o  <  2fe.  If  a  =  0,  we  square  k  times 
our  current  y.  If  a  ^  0,  we  can  write  a  =  2tb  with  b  odd  and  less  than  2*, 
and  0  <  t  <  k.  We  must  set  y  <—  y2  •  g2'6,  and  this  is  done  by  computing 
first  y2  •  gb  (which  involves  k  —  t  squarings  plus  one  multiplication  since  gb 
has  been  precomputed),  then  squaring  t  times  the  result.  This  leads  to  the 
following  algorithm.  Here  we  assume  that  we  have  an  algorithm  digit (fc,  N,  f ) 
which  gives  digit  number  f  of  N  expressed  in  base  2k. 

Algorithm  1.2.4  (Left-Right  Base  2*).  Given  g  6  G  and  n  6  Z,  this  algorithm 
computes  gn  in  G.  If  n  ^  0,  we  assume  also  given  the  unique  integer  e  such  that 
2ke  <  |n|  <  2k(e+1\  We  write  1  for  the  unit  element  of  G. 

1.  [Initialize]  If  n  =  0,  output  1  and  terminate.  If  n  <  0  set  N* - n  and 

z  <—  g~x.  Otherwise,  set  N  <—  n  and  z  <—  g.  Finally  set  f  *—  e. 

2.  [Precomputations]  Compute  and  store  z3,  z5,  ...  ,  z2*-1. 

3.  [Multiply]  Set  a  <—  digit(fc,  N ,  /).  If  a  =  0,  repeat  k  times  y  <—  y-y.  Otherwise, 
write  a  =  2*6  with  6  odd,  and  if  f  ^  e  repeat  k  —  t  times  y  <—  y  •  y  and  set 
y  <—  y  •  zb,  while  if  /  =  e  set  y  «—  zb  (using  the  precomputed  value  of  zb ), 
and  finally  (still  if  a  ^  0)  repeat  t  times  y  <—  y  •  y. 

4.  [Finished?]  If  /  =  0,  output  y  and  terminate  the  algorithm.  Otherwise,  set 
/  <—  /  —  1  and  go  to  step  3. 

Implementation  Remark.  Although  the  splitting  of  a  in  the  form  2*6  takes 
very  little  time  compared  to  the  rest  of  the  algorithm,  it  is  a  nuisance  to  have 
to  repeat  it  all  the  time.  Hence,  we  suggest  precomputing  all  pairs  ( t ,  6)  for 
a  given  k  (including  ( k ,  0)  for  a  =  0)  so  that  t  and  6  can  be  found  simply  by 
table  lookup.  Note  that  this  precomputation  depends  only  on  the  value  of  k 
chosen  for  Algorithm  1.2.4,  and  not  on  the  actual  value  of  the  exponent  n. 

Let  us  now  analyze  the  average  behavior  of  Algorithm  1.2.4  so  that  we  can 
choose  k  optimally.  As  we  have  already  explained,  we  will  regard  as  negligible 
the  time  spent  in  computing  e  or  in  extracting  bits  or  digits  in  base  2k. 

The  precomputations  require  2k~l  multiplications.  The  total  number  of 
squarings  is  exactly  the  same  as  in  the  binary  algorithm,  i.e.  [lg  |n|J,  and  the 
number  of  multiplications  is  equal  to  the  number  of  non-zero  digits  of  |n|  in 
base  2fc,  i.e.  on  average 
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so  the  total  number  of  multiplications  which  are  not  squarings  is  on  average 
approximately  equal  to 


m(k)  =  2k~1  + 


2k-  1 
k2k 


lg|n  . 


Now,  if  we  compute  m(k  + 1)  —  m(k),  we  see  that  it  is  non-negative  as  long  as 


lg  M  < 


k(k  +  l)22k 
2k+1  —  k  —  2 


Hence,  for  the  highest  efficiency,  one  should  choose  k  equal  to  the  smallest 
integer  satisfying  the  above  inequality,  and  this  gives  k  =  1  for  |n|  <  256, 
k  =  2  for  |n|  <  224,  etc  ....  For  example,  if  |n|  has  between  60  and  162  decimal 
digits,  the  optimal  value  of  k  is  k  =  5.  For  a  more  specific  example,  assume 
that  n  has  100  decimal  digits  (i.e.  lgn  approximately  equal  to  332)  and  that 
the  time  for  squaring  is  about  3/4  of  the  time  for  multiplication  (this  is  quite 
a  reasonable  assumption).  Then,  counting  multiplication  steps,  the  ordinary 
binary  algorithm  takes  on  average  (3/4)332  +  332/2  =  415  steps.  On  the  other 
hand,  the  base  25  algorithm  takes  on  average  (3/4)332+16+(31/160)332  «  329 
multiplication  steps,  an  improvement  of  more  than  20%. 

There  is  however  another  point  to  take  into  account.  When,  for  instance 
G  =  (! Z/mZ )*  and  g  (or  g~l  when  n  <  0)  is  represented  by  the  (residue)  class 
of  a  single  precision  integer,  replacing  multiplication  by  g  by  multiplication 
by  its  small  odd  powers  may  have  the  disadvantage  compared  to  Algorithm 
1.2.3  that  these  powers  may  not  be  single  precision.  Hence,  in  this  case,  it  may 
be  preferable,  either  to  use  Algorithm  1.2.3,  or  to  use  the  highest  power  of  k 
less  than  or  equal  to  the  optimal  one  which  keeps  all  the  zb  with  b  odd  and 
1  <  b  <2k  —  1  represented  by  single  precision  integers. 

(A  long  text  should  be  inserted  here,  but  no  place  to  do  this  (see  page  45).) 


Quite  a  different  way  to  improve  on  Algorithm  1.2.1  is  to  try  to  find  a 
near  optimal  “addition  chain”  for  |n|,  and  this  also  can  lead  to  improvements, 
especially  when  the  same  exponent  is  used  repeatedly  (see  [BCS].  For  a  de¬ 
tailed  discussion  of  addition  chains,  see  [Knu2].)  In  practice,  we  suggest  using 
the  flexible  2fc-algorithm  for  a  suitable  value  of  k . 


The  powering  algorithm  is  used  very  often  with  the  ring  Z/mZ.  In  this  case 
multiplication  does  not  give  a  group  law,  but  the  algorithm  is  valid  nonethe¬ 
less  if  either  n  is  non-negative  or  if  g  is  an  invertible  element.  Furthermore, 
the  group  multiplication  is  “multiplication  followed  by  reduction  modulo  m” . 
Depending  on  the  size  of  m,  it  may  be  worthwhile  to  not  do  the  reductions 
each  time,  but  to  do  them  only  when  necessary  to  avoid  overflow  or  loss  of 
time. 

We  will  use  the  powering  algorithm  in  many  other  contexts  in  this  book,  in 
particular  when  computing  in  class  groups  of  number  fields,  or  when  working 
with  elliptic  curves  over  finite  fields. 
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Note  that  for  many  groups  it  is  possible  (and  desirable)  to  write  a  squaring 
routine  which  is  faster  than  the  general-purpose  multiplication  routine.  In 
situations  where  the  powering  algorithm  is  used  intensively,  it  is  essential 
to  use  this  squaring  routine  when  multiplications  of  the  type  y  <—  y  •  y  are 
encountered. 


1.3  Euclid’s  Algorithms 

We  now  consider  the  problem  of  computing  the  GCD  of  two  integers  a  and 
b.  The  naive  answer  to  this  problem  would  be  to  factor  a  and  6,  and  then 
multiply  together  the  common  prime  factors  raised  to  suitable  powers.  Indeed, 
this  method  works  well  when  a  and  b  are  very  small,  say  less  than  100,  or  when 
a  or  b  is  known  to  be  prime  (then  a  single  division  is  sufficient).  In  general  this 
is  not  feasible,  because  one  of  the  important  facts  of  life  in  number  theory  is 
that  factorization  is  difficult  and  slow.  We  will  have  many  occasions  to  come 
back  to  this.  Hence,  we  must  use  better  methods  to  compute  GCD’s.  This 
is  done  using  Euclid’s  algorithm,  probably  the  oldest  and  most  important 
algorithm  in  number  theory. 

Although  very  simple,  this  algorithm  has  several  variants,  and,  because  of 
its  usefulness,  we  are  going  to  study  it  in  detail.  We  shall  write  (a,  6)  for  the 
GCD  of  a  and  b  when  there  is  no  risk  of  confusion  with  the  pair  (a,  b).  By 
definition,  (a,  b)  is  the  unique  non-negative  generator  of  the  additive  subgroup 
of  Z  generated  by  a  and  b.  In  particular,  (o,  0)  =  (0,  a)  =  |a|  and  (a,  6)  = 
(|a|,  |fe|).  Hence  we  can  always  assume  that  a  and  6  are  non-negative. 


1.3.1  Euclid’s  and  Lehmer’s  Algorithms 
Euclid’s  algorithm  is  as  follows: 

Algorithm  1.3.1  (Euclid).  Given  two  non-negative  integers  a  and  b,  this 
algorithm  finds  their  GCD. 

1.  [Finished?]  If  b  =  0  then  output  a  as  the  answer  and  terminate  the  algorithm. 

2.  [Euclidean  step]  Set  r  <—  a  mod  b,  a  <—  b,  b  <—  r  and  go  to  step  1. 

If  either  a  or  b  is  less  than  a  given  number  N,  the  number  of  Euclidean 
steps  in  this  algorithm  is  bounded  by  a  constant  times  InN,  in  both  the 
worst  case  and  on  average.  More  precisely  we  have  the  following  theorem  (see 
[Knu2]): 

Theorem  1.3.2.  Assume  that  a  and  b  are  randomly  distributed  between  1 
and  N.  Then 


(1)  The  number  of  Euclidean  steps  is  at  most  equal  to 
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\n(V$N) 

ln((l  +  v/5)/2) 


—  2  «  2.078  In  iV  +  1.672. 


(2)  The  average  number  of  Euclidean  steps  is  approximately  equal  to 


12  In  2  ,  xr 

— —  lniV  +  0.14  «  0.843  In  N  +  0.14. 

7 r* 


However,  Algorithm  1.3.1  is  far  from  being  the  whole  story.  First,  it  is  not 
well  suited  to  handling  large  numbers  (in  our  sense,  say  numbers  with  50  or  100 
decimal  digits).  This  is  because  each  Euclidean  step  requires  a  long  division, 
which  takes  time  0(ln2iV).  When  carelessly  programmed,  the  algorithm  takes 
time  0(ln3AT).  If,  however,  at  each  step  the  precision  is  decreased  as  a  function 
of  a  and  b ,  and  if  one  also  notices  that  the  time  to  compute  a  Euclidean 
step  a  =  bq  +  r  is  0((lna)(lng  +  1)),  then  the  total  time  is  bounded  by 
0((\nN)((Y^\nq)  +  O(lniV))).  But  ]^ln q  =  ln[|g  <  lna  <  In IV,  hence  if 
programmed  carefully,  the  running  time  is  only  0(ln2iV).  There  is  a  useful 
variant  due  to  Lehmer  which  also  brings  down  the  running  time  to  O(ln^iV). 
The  idea  is  that  the  Euclidean  quotient  depends  generally  only  on  the  first 
few  digits  of  the  numbers.  Therefore  it  can  usually  be  obtained  using  a  single 
precision  calculation.  The  following  algorithm  is  taken  directly  from  Knuth. 
Let  M  =  mp  be  the  base  used  for  multi-precision  numbers.  Typical  choices 
are  m  =  2,  p  =  15, 16, 31,  or  32,  or  m  =  10,  p  =  4  or  9. 

Algorithm  1.3.3  (Lehmer).  Let  a  and  b  be  non-negative  multi-precision  inte¬ 
gers,  and  assume  that  a  >  b.  This  algorithm  computes  (a, b),  using  the  following 

A 

auxiliary  variables,  a,  b,  A,  B,  C,  D,  T  and  q  are  single  precision  (i.e.  less  than 
M),  and  t  and  r  are  multi-precision  variables. 

1.  [Initialize]  If  b  <  M,  i.e.  is  single  precision,  compute  (a,  b)  using  Algorithm 

A 

1.3.1  and  terminate.  Otherwise,  let  a  (resp.  b)  be  the  single  precision  number 
formed  by  the  highest  non-zero  base  M  digit  of  a  (resp.  b).  Set  A  <—  1,  B  <—  0, 
C  <—  0,  D  <—  1. 

2.  [Test  quotient]  If  b  +  C  =  0  or  b  +  D  =  0  go  to  step  4.  Otherwise,  set 
q  <—  [(a  +  A)/(b  +  C)J .  If  q  ^  [(a  +  B)/(b  +  D) J ,  go  to  step  4.  Note  that 
one  always  has  the  conditions 

0<a  +  A<M,  0  <b+C<M, 

0  <a  +  B<M,  0  <b  +  D<M. 

Notice  that  one  can  have  a  single  precision  overflow  in  this  step,  which  must 
be  taken  into  account.  (This  can  occur  only  if  a  =  M  —  1  and  A  =  1  or  if 
b  =  M  —  1  and  D  =  1.) 
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3.  [Euclidean  step]  Set  T  <—  A  -  qC,  A  *-  C,  C  <-  T,  T  B  -  qD,  B  <-  D, 

A  A  A 

D  +-T,T  +-  ci  —  qb,  a  <—  b,  b  <—T  and  go  to  step  2  (all  these  operations  are 
single  precision  operations). 

4.  [Multi-precision  step]  If  B  =  0,  set  t  <—  a  mod  b,  a  <—  b,  b  <—  t,  using  multi- 
precision  division  (this  happens  with  a  very  small  probability,  on  the  order  of 
1.4/M)  and  go  to  step  1.  Otherwise,  set  t  <—  Aa,  t  *—  t  +  Bb,  r  <—  Ca, 
r  <—  r  +  Db,  a  *—  t,  b  *—  r,  using  linear-time  multi-precision  operations,  and 
go  to  step  1. 

Note  that  the  number  of  steps  in  this  algorithm  will  be  the  same  as  in 
Algorithm  1.3.1,  i.e.  O(lniV')  if  a  and  b  are  less  than  N,  but  each  loop  now 
consists  only  of  linear  time  operations  (except  for  the  case  B  =  0  in  step 
4  which  is  so  rare  as  not  to  matter  in  practice).  Therefore,  even  without 
using  variable  precision,  the  running  time  is  now  only  of  order  0(ln2iV)  and 
not  0(ln3JV).  Of  course,  there  is  much  more  bookkeeping  involved,  so  it  is 
not  clear  how  large  N  must  be  before  a  particular  implementation  of  this 
algorithm  becomes  faster  than  a  crude  implementation  of  Algorithm  1.3.1.  Or, 
even  whether  a  careful  implementation  of  Algorithm  1.3.1  will  not  compete 
favorably  in  practice.  Testing  needs  to  be  done  before  choosing  which  of  these 
algorithms  to  use. 

Another  variant  of  Euclid’s  algorithm  which  is  also  useful  in  practice  is 
the  so-called  binary  algorithm.  Here,  no  long  division  steps  are  used,  except 
at  the  beginning,  instead  only  subtraction  steps  and  divisions  by  2,  which  are 
simply  integer  shifts.  The  number  of  steps  needed  is  greater,  but  the  operations 
used  are  much  faster,  and  so  there  is  a  net  gain,  which  can  be  quite  large  for 
multi-precision  numbers.  Furthermore,  using  subtractions  instead  of  divisions 
is  quite  reasonable  in  any  case,  since  most  Euclidean  quotients  are  small.  More 
precisely,  we  can  state: 

Theorem  1.3.4.  In  a  suitable  sense,  the  probability  P{q)  that  a  Euclidean 
quotient  be  equal  to  q  is 

P(q)  =  lg((9  +  1)2/((<Z  +  l)2  —  1))- 

For  example,  P{  1)  =  0.41504...,  P(2)  =  0.16992...,  P(3)  =  0.09311..., 
P(4)  =  0.05890 .... 

For  example,  from  this  theorem,  one  can  see  that  the  probability  of  oc¬ 
currence  of  B  =  0  in  step  4  of  Algorithm  1.3.3  is  lg(l  +  1/M),  and  this  is 
negligible  in  practice. 

One  version  of  the  binary  algorithm  is  as  follows. 

Algorithm  1.3.5  (Binary  GCD).  Given  two  non-negative  integers  a  and  b, 
this  algorithm  finds  their  GCD. 

1.  [Reduce  size  once]  If  a  <  b  exchange  a  and  b.  Now  if  b  =  0,  output  a  and 
terminate  the  algorithm.  Otherwise,  set  r  <—  a  mod  b,  a  <—  b  and  b  *—  r. 
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2.  [Compute  power  of  2]  If  6  =  0  output  a  and  terminate  the  algorithm.  Otherwise, 
set  k  <—  0,  and  then  while  a  and  6  are  both  even,  set  k  <—  k  +  1,  a  <—  a/2, 
b  6/2. 

3.  [Remove  initial  powers  of  2]  If  a  is  even,  repeat  a  <—  a/2  until  a  is  odd. 
Otherwise,  if  6  is  even,  repeat  6  <—  6/2  until  6  is  odd. 

4.  [Subtract]  (Here  a  and  6  are  both  odd.)  Set  t  <—  (a  -  6)/2.  If  t  =  0,  output 
2 ka  and  terminate  the  algorithm. 

5.  [Loop]  While  t  is  even,  set  t  <—  i/2.  Then  if  t  >  0  set  a  <—  t,  else  set  6  < - 1 

and  go  to  step  4. 

Remarks. 

(1)  The  binary  algorithm  is  especially  well  suited  for  computing  the  GCD 
of  multi-precision  numbers.  This  is  because  no  divisions  are  performed, 
except  on  the  first  step.  Hence  we  suggest  using  it  systematically  in  this 
case. 

(2)  All  the  divisions  by  2  performed  in  this  algorithm  must  be  done  using 
shifts  or  Boolean  operations,  otherwise  the  algorithm  loses  much  of  its 
attractiveness.  In  particular,  it  may  be  worthwhile  to  program  it  in  a 
low-level  language,  and  even  in  assembly  language,  if  it  is  going  to  be 
used  extensively.  Note  that  some  applications,  such  as  computing  in  class 
groups,  use  GCD  as  a  basic  operation,  hence  it  is  essential  to  optimize  the 
speed  of  the  algorithm  for  these  applications. 

(3)  One  could  directly  start  the  binary  algorithm  in  step  2,  avoiding  division 
altogether.  We  feel  however  that  this  is  not  such  a  good  idea,  since  a  and 
6  may  have  widely  differing  magnitudes,  and  step  1  ensures  that  we  will 
work  on  numbers  at  most  the  size  of  the  smallest  of  the  two  numbers  a 
and  6,  and  not  of  the  largest,  as  would  be  the  case  if  we  avoided  step  1.  In 
addition,  it  is  quite  common  for  6  to  divide  a  when  starting  the  algorithm. 
In  this  case,  of  course,  the  algorithm  immediately  terminates  after  step  1. 

(4)  Note  that  the  sign  of  t  in  step  4  of  the  algorithm  enables  the  algorithm 
to  keep  track  of  the  larger  of  a  and  6,  so  that  we  can  replace  the  larger  of 
the  two  by  \t\  in  step  5.  We  can  also  keep  track  of  this  data  in  a  separate 
variable  and  thereby  work  only  with  non- negative  numbers. 

(5)  Finally,  note  that  the  binary  algorithm  can  use  the  ideas  of  Algorithm 
1.3.3  for  multi-precision  numbers.  The  resulting  algorithm  is  complex  and 
its  efficiency  is  implementation  dependent.  For  more  details,  see  [Knu2 
p.599], 

ihe  proof  of  the  validity  of  the  binary  algorithm  is  easy  and  left  to  the  reader. 

On  the  other  hand,  a  detailed  analysis  of  the  average  running  time  of  the  bi¬ 
nary  algorithm  is  a  challenging  mathematical  problem  (see  [Knu2]  once  again). 

Evidently,  as  was  the  case  for  Euclid’s  algorithm,  the  running  time  will  be 

0(ln  N)  bit  operations  when  suitably  implemented,  where  N  is  an  upper 

bound  on  the  size  of  the  inputs  a  and  6.  The  mathematical  problem  is  to  find 
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an  asymptotic  estimate  for  the  number  of  steps  and  the  number  of  shifts  per¬ 
formed  in  Algorithm  1.3.5,  but  this  has  an  influence  only  on  the  O  constant, 
not  on  the  qualitative  behavior.  □ 


1.3.2  Euclid’s  Extended  Algorithms 

The  information  given  by  Euclid’s  algorithm  is  not  always  sufficient  for  many 
problems.  In  particular,  by  definition  of  the  GCD,  if  d  =  (a,  b)  there  exists 
integers  u  and  v  such  that  au  +  bv  =  d.  It  is  often  necessary  to  extend  Euclid’s 
algorithm  so  as  to  be  able  to  compute  u  and  v.  While  u  and  v  are  not  unique, 
u  is  defined  modulo  6/d,  and  v  is  defined  modulo  a/d. 

There  are  two  ways  of  doing  this.  One  is  by  storing  the  Euclidean  quotients 
as  they  come  along,  and  then,  once  d  is  found,  backtracking  to  the  initial 
values.  This  method  is  the  most  efficient,  but  can  require  a  lot  of  storage.  In 
some  situations  where  this  information  is  used  extensively  (such  as  Shanks’s 
and  Atkin’s  NUCOMP  in  Section  5.4.2),  any  little  gain  should  be  taken,  and 
so  one  should  do  it  this  way. 

The  other  method  requires  very  little  storage  and  is  only  slightly  slower. 
This  requires  using  a  few  auxiliary  variables  so  as  to  do  the  computations  as 
we  go  along.  We  first  give  a  version  which  does  not  take  into  account  multi- 
precision  numbers. 

Algorithm  1.3.6  (Euclid  Extended).  Given  non-negative  integers  a  and  6, 
this  algorithm  determines  (u,v,d)  such  that  au  +  bv  =  d  and  d  =  (a,  b).  We  use 
auxiliary  variables  v\,  v 3,  t\,  1 3. 

1.  [Initialize]  Set  u  <—  1,  d  <—  a.  If  6  =  0,  set  v  <—  0  and  terminate  the  algorithm, 
otherwise  set  Vi  <—  0  and  v$  <—  6. 

2.  [Finished?]  If  U3  =  0  then  set  v  <—  (d  —  au)/b  and  terminate  the  algorithm. 

3.  [Euclidean  step]  Let  q  <—  [d/v 3J  and  simultaneously  t$  <—  d  mod  V3.  Then  set 
ti*—  u  —  qvi,  v\,  d<—vz,  ui<— ti,  U3<— £3  and  go  to  step  2. 

“Simultaneously”  in  step  3  means  that  if  this  algorithm  is  implemented  in 
assembly  language,  then,  since  the  division  instruction  usually  gives  both  the 
quotient  and  remainder,  this  should  of  course  be  used.  Even  if  this  algorithm 
is  not  programmed  in  assembly  language,  but  a  and  6  are  multi-precision 
numbers,  the  division  routine  in  the  multi-precision  library  should  also  return 
both  quotient  and  remainder.  Note  also  that  in  step  2,  the  division  of  d  —  au 
by  6  is  exact. 

Proof  of  the  Algorithm.  Introduce  three  more  variables  V2,  £2  and  v.  We  want 
the  following  relations  to  hold  each  time  one  begins  step  2: 


at  1  +  H2  =  £3 ,  au  +  bv  =  d,  av  1  +  bv2  =  V3 . 
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For  this  to  be  true  after  the  initialization  step,  it  suffices  to  set  v  <—  0,  v2  <—  1. 
(It  is  not  necessary  to  initialize  the  t  variables.)  Then,  it  is  easy  to  check  that 
step  3  preserves  these  relations  if  we  update  suitably  the  three  auxiliary  vari¬ 
ables  (by  (t>2,  t2,v)  <—  (t2,  v  —  qv2,  v2)).  Therefore,  at  the  end  of  the  algorithm, 
d  contains  the  GCD  (since  we  have  simply  added  some  extra  work  to  the  ini¬ 
tial  Euclidean  algorithm),  and  we  also  have  au  +  bv  =  d.  □ 

As  an  exercise,  the  reader  can  show  that  at  the  end  of  the  algorithm, 
we  have  v\=  ±b/d  (and  v2  —  =pa/d  in  the  proof),  and  that  throughout  the 
algorithm,  |t>i|,  |u|,  |£i|  stay  less  than  or  equal  to  b/d  (and  |i>2|,  |v|,  \t2\  stay 
less  than  or  equal  to  a/d). 

This  algorithm  can  be  improved  for  multi-precision  numbers  exactly  as  in 
Lehmer’s  Algorithm  1.3.3.  Since  it  is  a  simple  blend  of  Algorithms  1.3.3  and 
1.3.5,  we  do  not  give  a  detailed  proof.  (Notice  however  that  the  variables  d 
and  vz  have  become  a  and  6.) 

Algorithm  1.3.7  (Lehmer  Extended).  Let  a  and  b  be  non-negative  multi- 
precision  integers,  and  assume  that  a  >  6.  This  algorithm  computes  ( u,v,d )  such 
that  au+bv  =  d  =  (a,  b),  using  the  following  auxiliary  variables,  a,  6,  A,  B,  C,  D, 
T  and  q  are  single  precision  (i.e.  less  than  M),  and  t,  r,  vi,  vz  are  multi-precision 
variables. 

1.  [Initialize]  Set  u  <—  1,  vi  <—  0. 

2.  [Finished?]  If  b  <  M,  i.e.  is  single  precision,  compute  ( u,v,d )  using  Algorithm 
1.3.6  and  terminate.  Otherwise,  let  a  (resp.  6)  be  the  single  precision  number 
formed  by  the  p  most  significant  digits  of  a  (resp.  b).  Set  A  <—  1,  B  <—  0, 
C  <—  0,  D  <—  1. 

r  a  a 

3.  [Test  quotient]  If  b  +  C  =  0  or  b  +  D  =  0  go  to  step  5.  Otherwise,  set 
q  *—  L(®  +  -A)/(&  +  C) J.  If  q  ±  [(a  +  B)/(b  +  D) J,  go  to  step  5. 

4.  [Euclidean  step]  Set  T^A  —  qC,  A<^C,  C<^T,  T<—B  —  qD,  B<—D, 
D<— T,T<^a  —  qb,  a<—  b,  b<— T  and  go  to  step  3  (all  these  operations  are 
single  precision  operations). 

5.  [Multi-precision  step]  If  B  =  0,  set  q  <—  \_a/b\  and  simultaneously  t  <—  a  mod  b 
using  multi-precision  division,  then  cn—b,  b  <—  t,  t  <—  u  —  qv\,  u  <—  v\,  v\  <—  t 
and  go  to  step  2. 

Otherwise,  set  t  <-  Aa,  t  <-  t  +  Bb,  r  <-  Ca,  r  <-  r  +  Db,  a  <-  t,  b  <-  r, 
t  <—  Au,  t  <—  t  +Bvi,  r<—  Cu,  r  < —  r  T Dv\,  u  < —  t,  V\  * —  r  using  linear-time 
multi-precision  operations,  and  go  to  step  2. 

In  a  similar  way,  the  binary  algorithm  can  be  extended  to  find  u  and  v. 
The  algorithm  is  as  follows. 

Algorithm  1.3.8  (Binary  Extended).  Given  non-negative  integers  a  and  b, 
this  algorithm  determines  (u,v,d)  such  that  au+  bv  =  d  and  d  =  ( a,b ).  We  use 
auxiliary  variables  vi,  u3,  ti,  t3,  and  two  Boolean  flags  /i  and  /2. 
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1.  [Reduce  size  once]  If  a  <  b  exchange  a  and  6  and  set  /i  <—  1,  otherwise  set 
fi  <—  0.  Now  if  6  =  0,  output  (1,0,  a)  if  fi  =  0,  (0,1,  a)  if  /i  =  1  and 
terminate  the  algorithm.  Otherwise,  let  a  =  bq  -I-  r  be  the  Euclidean  division 
of  a  by  6,  where  0  <  r  <  b,  and  set  a  <—  b  and  b  <—  r. 

2.  [Compute  power  of  2]  If  b  =  0,  output  (0,1,  a)  if  fi  =  0,  (1,0,  a)  if  /i  =  1 
and  terminate  the  algorithm.  Otherwise,  set  k  <—  0,  and  while  a  and  b  are  both 
even,  set  k  «—  k  4-  1,  a  <—  a/2,  b  <—  6/2. 

3.  [Initialize]  If  6  is  even,  exchange  a  and  6  and  set  fi  <—  1,  otherwise  set  fi  <—  0. 

Then  set  u  <—  1,  d  <—  a,  v\  <—  6,  V3  <—  6.  If  a  is  odd,  set  t\  <—  0,  £3  < - 6 

and  go  to  step  5,  else  set  £1  <—  (1  +  6)/2,  £3  <—  a/2. 

4.  [Remove  powers  of  2]  If  £3  is  even  do  as  follows.  Set  £3  <—  £3/2,  £1  <—  £i/2  if 
£1  is  even  and  t\  <—  (£1  +  6)/2  if  £1  is  odd,  and  repeat  step  4. 

5.  [Loop]  If  £3  >  0,  set  u  <—ti  and  d  <—  £3,  otherwise,  set  v\  *—  b  —  £1,  V3  < - £3. 

6.  [Subtract]  Set  £1  <—  u  —  v\,  £3  <—  d  —  V3.  If  £1  <  0,  set  £1  <—  £1  +  6.  Finally,  if 
£3  ^  0,  go  to  step  4. 

7.  [Terminate]  Set  v  (d  —  au)/b  and  d  *—  2 kd.  If  /2  =  1  exchange  u  and  v. 
Then  set  u  <—  u  —  vq.  Finally,  output  ( u,v,d )  if  /1  =  1,  (v,u,  d)  if  /1  =  0, 
and  terminate  the  algorithm. 

Proof  The  proof  is  similar  to  that  of  Algorithm  1.3.6.  We  introduce  three 

more  variables  vi ,  £2  and  v  and  we  require  that  at  the  start  of  step  4  we 

always  have 


At\  +  Bti  —  £3 ,  Au  +  Bv  =  d,  Av\  +  Bvi  =■  U3, 

where  A  and  B  are  the  values  of  a  and  6  after  step  3.  For  this  to  be  true,  we 

must  initialize  them  by  setting  (in  step  3)  v  <—  0,  Vi  *—  1  —  a  and  ti  < - 1  if  a 

is  odd,  £2  < - a/2  if  a  is  even.  After  this,  the  three  relations  will  continue  to 

be  true  provided  we  suitably  update  vi,  £2  and  v.  Since,  when  the  algorithm 
terminates  d  will  be  the  GCD  of  A  and  B ,  it  suffices  to  backtrack  from  both 
the  division  step  and  the  exchanges  done  in  the  first  few  steps  in  order  to 
obtain  the  correct  values  of  u  and  v  (as  is  done  in  step  7).  We  leave  the  details 
to  the  reader.  □ 

Euclid’s  “extended”  algorithm,  i.e.  the  algorithm  used  to  compute  («,  v,  d) 
and  not  d  alone,  is  useful  in  many  different  contexts.  For  example,  one  frequent 
use  is  to  compute  an  inverse  (or  more  generally  a  division)  modulo  m.  Assume 
one  wants  to  compute  the  inverse  of  a  number  6  modulo  m.  Then,  using 
Algorithm  1.3.6,  1.3.7  or  1.3.8,  compute  ( u,v,d )  such  that  bu  +  mv  =  d  = 
(6,  m).  If  d  >  1  send  an  error  message  stating  that  6  is  not  invertible,  otherwise 
the  inverse  of  6  is  u.  Notice  that  in  this  case,  we  can  avoid  computing  v  in 
step  2  of  Algorithm  1.3.6  and  in  the  analogous  steps  in  the  other  algorithms. 

There  are  other  methods  to  compute  b~1  mod  m  when  the  factorization 
of  m  is  known,  for  example  when  m  is  a  prime.  By  Euler-Fermat’s  Theorem 
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1.4.2,  we  know  that,  if  (6,m)  =  1  (which  can  be  tested  very  quickly  since  the 
factorization  of  m  is  known) ,  then 

k<£(m)  =  i  (mod  m) , 

where  (f)(m)  is  Euler’s  0  function  (see  [H-W]).  Hence,  the  inverse  of  6  modulo 
m  can  be  obtained  by  computing 

6_1  =  (mod  m) , 

using  the  powering  Algorithm  1.2.1. 

Note  however  that  the  powering  algorithms  are  0(ln3m)  algorithms,  which 
is  worse  than  the  time  for  Euclid’s  extended  algorithm.  Nonetheless  they  can 
be  useful  in  certain  cases.  A  practical  comparison  of  these  methods  is  done  in 
[Brel]. 


1.3.3  The  Chinese  Remainder  Theorem 
We  recall  the  following  theorem: 

Theorem  1.3.9  (Chinese  Remainder  Theorem).  Let  mi,  ...,  and  x i, 
. . Xk  be  integers.  Assume  that  for  every  pair  ( i,j )  we  have 

Xi  =  Xj  (mod  gcd(rai,  raj)) . 

There  exists  an  integer  x  such  that 

x  =  Xi  (mod  ?7i j)  for  1  <  i  <  k . 

Furthermore,  x  is  unique  modulo  the  least  common  multiple  of  mi,  . . .,  rrifc. 

Corollary  1.3.10.  Let  mi,  . . .,  m k  be  pairwise  coprime  integers,  i.e.  such 
that 

gcd(mj,  mj)  =  1  when  i  ^  j . 

Then,  for  any  integers  xi,  there  exists  an  integer  x,  unique  modulo  mi,  such 
that 

x  =  Xi  (mod  m^  for  1  <  i  <  k . 


We  need  an  algorithm  to  compute  x.  We  will  consider  only  the  case  where 
the  mi  are  pairwise  coprime,  since  this  is  by  far  the  most  useful  situation. 
Set  M  =  rii<i<fcmi  and  Mi  —  M/mi.  Since  the  m*  are  coprime  in  pairs, 
gcd (Mi,  mi)  =  T  hence  by  Euclid’s  extended  algorithm  we  can  find  ai  such 
that  aiMi  =  1  (mod  m*).  If  we  set 
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X  —  ^  ^  , 

l<i<k 

it  is  clear  that  x  satisfies  the  required  conditions.  Therefore,  we  can  output 
x  mod  M  as  the  result. 

This  method  could  be  written  explicitly  as  a  formal  algorithm.  However 
we  want  to  make  one  improvement  before  doing  so.  Notice  that  the  necessary 
constants  a*  are  small  (less  than  ra*),  but  the  M*  or  the  a*M*  which  are  also 
needed  can  be  very  large.  There  is  an  ingenious  way  to  avoid  using  such  large 
numbers,  and  this  leads  to  the  following  algorithm.  Its  verification  is  left  to 
the  reader. 

Algorithm  1.3.11  (Chinese).  Given  pairwise  coprime  integers  ra*  (1  <  i  <  k) 
and  integers  Xi,  this  algorithm  finds  an  integer  x  such  that  x  =  x*  (mod  m*)  for 
all  i.  Note  that  steps  1  and  2  are  a  precomputation  which  needs  to  be  done  only 
once  when  the  ra*  are  fixed  and  the  Xi  vary. 

1.  [Initialize]  Set  j  <—  2,  C\  <—  1.  In  addition,  if  it  is  not  too  costly,  reorder  the 
ra*  (and  hence  the  X*)  so  that  they  are  in  increasing  order. 

2.  [Precomputations]  Set  p  <—  mira2  •  • -raj-i  (mod  m^).  Compute  ( u,v,d ) 
such  that  up  +  vrrij  =  d  =  gcd(p,  nij)  using  a  suitable  version  of  Euclid's 
extended  algorithm.  If  d  >  1  output  an  error  message  (the  m*  are  not  pairwise 
coprime).  Otherwise,  set  Cj  <—  u,  j  <—  j  +  1,  and  go  to  step  2  if  j  <  k. 

3.  [Compute  auxiliary  constants]  Set  yi  <—  ximodmi,  and  for  j  =  2,...,k 
compute  (as  written) 

Vj  <-  (xj  ~  ( Vi  +  "H(2/2  +  rn2{yz  H - 1-  1)  ■  •  ■  ))Cj  mod  rrij . 

4.  [Terminate]  Output 

x*-Vi+  mi{y2  +  m2(y3  +  ■  ■  •  +  mfc_iyfc)  ••■))> 

and  terminate  the  algorithm. 

Note  that  we  will  have  0  <  a:  <  M  =  [jm*. 

As  an  exercise,  the  reader  can  give  an  algorithm  which  finds  x  in  the  more 
general  case  of  Theorem  1.3.9  where  the  mi  are  not  assumed  to  be  pairwise 
coprime.  It  is  enough  to  write  an  algorithm  such  as  the  one  described  before 
Algorithm  1.3.11,  since  it  will  not  be  used  very  often  (Exercise  9). 

Since  this  algorithm  is  more  complex  than  the  algorithm  mentioned  pre¬ 
viously,  it  should  only  be  used  when  the  m*  are  fixed  moduli,  and  not  just  for 
a  one  shot  problem.  In  this  last  case  is  it  preferable  to  use  the  formula  for  two 
numbers  inductively  as  follows.  We  want  x  =  x*  (mod  m*)  for  i  =  1,2.  Since 
the  m*  are  relatively  prime,  using  Euclid’s  extended  algorithm  we  can  find  u 
and  v  such  that 


urrii  +  vm2  =  1 . 
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It  is  clear  that 

x  —  umix-2  +  vni2Xi  mod  mi  m2 
is  a  solution  to  our  problem.  This  leads  to  the  following. 

Algorithm  1.3.12  (Inductive  Chinese).  Given  pairwise  coprime  integers  m* 
(1  <  i  <  k)  and  integers  X{,  this  algorithm  finds  an  integer  x  such  that  x  =  Xi 
(mod  rrii )  for  all  i. 

1.  [Initialize]  Set  i  *—  1,  m  <—  mi,  x  <—  x\. 

2.  [Finished?]  If  i  =  k  output  x  and  terminate  the  algorithm.  Otherwise,  set 
i  <—  i  + 1,  and  by  a  suitable  version  of  Euclid’s  extended  algorithm  compute  u 
and  v  such  that  um  4-  vrrii  =  1. 

3.  [Compute  next  x]  Set  x  <—  umxi  +  vniix,  m  <—  mrrii,  x  *—  x  mod  m  and  go 
to  step  2. 

Note  that  the  results  and  algorithms  of  this  section  remain  true  if  we 
replace  Z  by  any  Euclidean  domain,  for  example  the  polynomial  ring  K[X] 
where  K  is  a  field. 


1.3.4  Continued  Fraction  Expansions  of  Real  Numbers 

We  now  come  to  a  subject  which  though  closely  linked  to  Euclid’s  algorithm, 
has  a  different  flavor.  Consider  first  the  following  apparently  simple  problem. 
Let  x  6  M  be  given  by  an  approximation  (for  example  a  decimal  or  binary 
one).  Decide  if  x  is  a  rational  number  or  not.  Of  course,  this  question  as 
posed  does  not  really  make  sense,  since  an  approximation  is  usually  itself  a 
rational  number.  In  practice  however  the  question  does  make  a  lot  of  sense 
in  many  different  contexts,  and  we  can  make  it  algorithmically  more  precise. 
For  example,  assume  that  one  has  an  algorithm  which  allows  us  to  compute  x 
to  as  many  decimal  places  as  one  likes  (this  is  usually  the  case).  Then,  if  one 
claims  that  x  is  (approximately)  equal  to  a  rational  number  p/g,  this  means 
that  p/ q  should  still  be  extremely  close  to  x  whatever  the  number  of  decimals 
asked  for,  p  and  q  being  fixed.  This  is  still  not  completely  rigorous,  but  it 
comes  quite  close  to  actual  practice,  so  we  shall  be  content  with  this  notion. 

Now  how  does  one  find  p  and  q  if  x  is  indeed  a  rational  number?  The 
standard  (and  algorithmically  excellent)  answer  is  to  compute  the  continued 
fraction  expansion  of  x,  i.e.  find  integers  a*  such  that  a*  >  1  for  i  >  1  and 

x  =  a,o  H - - - , 

G-i  H - j - 

0>2  H - 

03  +  ' '  • 

which  we  shall  write  as  x  =  [ao,  ai,  02,  a$, . . .  ].  If  ajb  is  the  given  (rational)  ap¬ 
proximation  to  x,  then  the  a*  are  obtained  by  simply  using  Euclid’s  algorithm 
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on  the  pair  (a,  6),  the  a*  being  the  successive  partial  quotients.  The  number 
x  is  rational  if  and  only  if  its  continued  fraction  expansion  is  finite,  i.e.  if  and 
only  if  one  of  the  a*  is  infinite.  Since  x  is  only  given  with  the  finite  precision 
a/b,  x  will  be  considered  rational  if  x  has  a  very  large  partial  quotient  a*  in 
its  continued  fraction  expansion.  Of  course  this  is  subjective,  but  should  be 
put  to  the  stringent  test  mentioned  above.  For  example,  if  one  uses  the  ap¬ 
proximation  7T  «  3.1415926  one  finds  that  the  continued  fraction  for  7r  should 
start  with  [3, 7, 15, 1, 243, . . .  ]  and  243  does  seem  a  suspiciously  large  partial 
quotient,  so  we  suspect  that  n  =  355/113,  which  is  the  rational  number  whose 
continued  fraction  is  exactly  [3, 7, 15, 1].  If  we  compute  a  few  more  decimals  of 
7 r  however,  we  see  that  this  equality  is  not  true.  Nonetheless,  355/113  is  still 
an  excellent  approximation  to  7r  (the  continued  fraction  expansion  of  7r  starts 
in  fact  [3,7,15,1,292,1,...]). 

To  implement  a  method  for  computing  continued  fractions  of  real  numbers, 
I  suggest  using  the  following  algorithm,  which  says  exactly  when  to  stop. 

Algorithm  1.3.13  (Lehmer).  Given  a  real  number  x  by  two  rational  numbers 
a/b  and  a' /b'  such  that  a/b  <  x  <  a1  /b',  this  algorithm  computes  the  continued 
fraction  expansion  of  x  and  stops  exactly  when  it  is  not  possible  to  determine 
the  next  partial  quotient  from  the  given  approximants  a/b  and  a‘ /b' ,  and  it  gives 
lower  and  upper  bounds  for  this  next  partial  quotient. 

1.  [Initialize]  Set  i  <—  0. 

2.  [Euclidean  step]  Let  a  =  bq  4-  r  the  Euclidean  division  of  a  by  b,  and  set 
r'  <—  a'  —  b'q.  If  r'  <  0  or  r'  >  b'  set  q1  *—  [a! /b‘\  and  go  to  step  4. 

3.  [Output  quotient]  Set  a*  <—  q  and  output  a*,  then  set  i  <—  i-f- 1,  a  <—  b,  b  <—  r, 
a'  <—  b1  and  b'  <—  r'.  If  6  and  b1  are  non-zero,  go  to  step  2.  If  b  =  b'  =  0, 
terminate  the  algorithm.  Finally,  if  6  =  0  set  q  <—  oo  and  q'  <—  \a' /b' J  while  if 
V  =  0  set  q  <—  [a/b\  and  qf  <—  oo. 

4.  [Terminate]  If  q  >  q'  output  the  inequality  q'  <  a*  <  q,  otherwise  output 
q  <  o>i  <  q'-  Terminate  the  algorithm. 

Note  that  the  oo  mentioned  in  step  3  is  only  a  mathematical  abstraction 
needed  to  make  step  4  make  sense,  but  it  does  not  need  to  be  represented  in 
a  machine  by  anything  more  than  some  special  code. 

This  algorithm  runs  in  at  most  twice  the  time  needed  for  the  Euclidean 
algorithm  on  a  and  b  alone,  since,  in  addition  to  doing  one  Euclidean  division 
at  each  step,  we  also  multiply  q  by  b'. 

We  can  now  solve  the  following  problem:  given  two  complex  numbers  z\ 
and  Z2,  are  they  Q-linearly  dependent?  This  is  equivalent  to  z\/z2  being  ra¬ 
tional,  so  the  solution  is  this:  compute  z  <—  z\jz2-  If  the  imaginary  part  of 
z  is  non-zero  (to  the  degree  of  approximation  that  one  has),  then  z\  and  Z2 
are  not  even  M-linearly  dependent.  If  it  is  zero,  then  compute  the  continued 
fraction  expansion  of  the  real  part  of  z  using  algorithm  1.3.13,  and  look  for 
large  partial  quotients  as  explained  above. 
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We  will  see  in  Section  2.7.2  that  the  LLL  algorithms  allow  us  to  determine 
in  a  satisfactory  way  the  problem  of  Q-linear  dependence  of  more  than  two 
complex  or  real  numbers. 

Another  closely  related  problem  is  the  following:  given  two  vectors  a  and 
b  in  a  Euclidean  vector  space,  determine  the  shortest  non-zero  vector  which 
is  a  Z-linear  combination  of  a  and  b  (we  will  see  in  Chapter  2  that  the  set 
of  such  Z-linear  combinations  is  called  a  lattice ,  here  of  dimension  2).  One 
solution,  called  Gaussian  reduction,  is  again  a  form  of  Euclid’s  algorithm,  and 
is  as  follows. 

Algorithm  1.3.14  (Gauss).  Given  two  linearly  independent  vectors  a  and  b  in 
a  Euclidean  vector  space,  this  algorithm  determines  one  of  the  shortest  non-zero 
vectors  which  is  a  Z-linear  combination  of  a  and  b.  We  denote  by  •  the  Euclidean 
inner  product  and  write  jaj2  =  a  •  a.  We  use  a  temporary  scalar  variable  T,  and 
a  temporary  vector  variable  t. 

1.  [Initialize]  Set  A  <—  jaj2,  B  <—  |b|2  .If  A  <  B  then  exchange  a  and  b  and 
exchange  A  and  B. 

2.  [Euclidean  step]  Set  n  <—  a  •  b,  r  <—  [n/B],  where  [x]  =  [x  4-  1/2J  is  the 
nearest  integer  to  x,  and  T  <—  A  —  2 rn  4-  r2B. 

3.  [Finished?]  If  T  >  B  then  output  b  and  terminate  the  algorithm.  Otherwise, 
set  t  <—  a  —  rb,  a  <—  b,  b  <—  t,  A  -t—  B,  B  <—  T  and  go  to  step  2. 

Proof.  Note  that  A  and  B  are  always  equal  to  |a|2  and  |b|2  respectively.  I  first 
claim  that  an  integer  r  such  that  |a  —  rb|  has  minimal  length  is  given  by  the 
formula  of  step  2.  Indeed,  we  have 


|a  —  xb|2  =  Bx2  —  2a  •  bx  +  A , 

and  this  is  minimum  for  real  x  for  x  =  a  -  h/B.  Hence,  since  a  parabola  is 
symmetrical  at  its  minimum,  the  minimum  for  integral  x  is  the  nearest  integer 
(or  one  of  the  two  nearest  integers)  to  the  minimum,  and  this  is  the  formula 
given  in  step  2. 

Thus,  at  the  end  of  the  algorithm  we  know  that  ja  —  mb)  >  |b|  for  all 
integers  m.  It  is  clear  that  the  transformation  which  sends  the  pair  (a,  b)  to 
the  pair  (b,a  —  rb)  has  determinant  —1,  hence  the  Z-module  L  generated 
by  a  and  b  stays  the  same  during  the  algorithm.  Therefore,  let  x  =  ua.  +  vb 
be  a  non-zero  element  of  L.  If  u  =  0,  we  must  have  u  /  0  hence  trivially 
lxl  >  |b|.  Otherwise,  let  v  —  uq  +  r  be  the  Euclidean  division  of  v  by  u,  where 
0  <r  <  |u|.  Then  we  have 

|x|  =  |u(a  4-  gb)  4-  rb|  >  |u||a  +  qb|  -  |r||b|  >  (|it|  -  |r|)|b|  >  |b| 

since  by  our  above  claim  |a  4-  ?b|  >  |b|  for  any  integer  q,  hence  b  is  indeed 
one  of  the  shortest  vectors  of  L,  proving  the  validity  of  the  algorithm. 
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Note  that  the  algorithm  must  terminate  since  there  are  only  a  finite  num¬ 
ber  of  vectors  of  L  with  norm  less  than  or  equal  to  a  given  constant  (com- 
pact+discrete=finite!).  In  fact  the  number  of  steps  can  easily  be  seen  to  be 
comparable  to  that  of  the  Euclidean  algorithm,  hence  this  algorithm  is  very 
efficient.  □ 

We  will  see  in  Section  2.6  that  the  LLL  algorithm  allows  us  to  determine 
efficiently  small  Z-linear  combinations  for  more  than  two  linearly  independent 
vectors  in  a  Euclidean  space.  It  does  not  always  give  an  optimal  solution,  but, 
in  most  situations,  the  results  are  sufficiently  good  to  be  very  useful. 
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1.4.1  The  Groups  (Z/nZ)* 

By  definition,  when  A  is  a  commutative  ring  with  unit,  we  will  denote  by  A* 
the  group  of  units  of  A,  i.e.  of  invertible  elements  of  A.  It  is  clear  that  A*  is 
a  group,  and  also  that  A*  =  A  \  {0}  if  and  only  if  A  is  a  field.  Now  we  have 
the  following  fundamental  theorem  which  gives  the  structure  of  (Z/nZ)*  (see 
[Ser]  and  Exercise  13). 


Theorem  1.4.1.  We  have 


|(Z/nZ)*|  =  tf(n)  =  nH 

p|n 


1 


and  more  precisely 

{Z/nZ.)*  ~  J]  (Z/p°Z)*, 

p“||n 

where 

(Z/paZ)*  ~  Z/(p  - 1  )pa~1Z 
(i.e.  is  cyclic)  when  p  >  3  or  p  —  2  and  a  <2,  and 

(Z/2aZ)*  ~  Z/2Z  x  Z/2a-2Z 


when  p=  2  and  a  >  3. 

Now  when  (Z/nZ)*  is  cyclic,  i.e.  by  the  above  theorem  when  n  is  equal 
either  to  pa ,  2 pa  with  p  an  odd  prime,  or  n  =  2  or  4,  an  integer  g  such  that  the 
class  of  g  generates  (Z/nZ)*  will  be  called  a  primitive  root  modulo  n.  Recall 
that  the  order  of  an  element  g  in  a  group  is  the  least  positive  integer  n  such 
that  gn  is  equal  to  the  identity  element  of  the  group.  When  the  group  is  finite, 
the  order  of  any  element  divides  the  order  of  the  group.  Furthermore,  g  is  a 
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primitive  root  of  (Z/nZ)*  if  and  only  if  its  order  is  exactly  equal  to  4>{n).  As 
a  corollary  of  the  above  results,  we  obtain  the  following: 

Proposition  1.4.2. 

(1)  (Fermat).  If  p  is  a  prime  and  a  is  not  divisible  by  p,  then  we  have 

ap_1  =  1  (mod  p). 

(2)  (Euler).  More  generally,  if  n  is  a  positive  integer,  then  for  any  integer  a 
coprime  to  n  we  have 


a<t>(n)  =  i  (mod  n) , 

and  even 

a<f>(n)/2  =  x  (mod  n) 

if  n  is  not  equal  to  2,  4,  Pa  or  2 pa  with  p  an  odd  prime. 


To  compute  the  order  of  an  element  in  a  finite  group  G,  we  use  the  fol¬ 
lowing  straightforward  algorithm. 

Algorithm  1.4.3  (Order  of  an  Element).  Given  a  finite  group  G  of  cardinality 
h  =  l^l,  and  an  element  g  €  G,  this  algorithm  computes  the  order  of  g  in  G.  We 
denote  by  1  the  unit  element  of  G. 

1.  [Initialize]  Compute  the  prime  factorization  of  h,  say  h  =  p\lP2*  •  •  -p^f ,  and 
set  e  <—  h,  i  <—  0. 

2.  [Next  pi\  Set  i  *—  i  -I-  1.  If  i  >  k,  output  e  and  terminate  the  algorithm. 
Otherwise,  set  e  «—  e/p gx  «_  ge. 

3.  [Compute  local  order]  While  g\  ^  1,  set  g\  g\l  and  e  «—  e  •  pt.  Go  to  step 
2. 

Note  that  we  need  the  complete  factorization  of  h  for  this  algorithm  to 
work.  This  may  be  difficult  when  the  group  is  very  large. 

Let  p  be  a  prime.  To  find  a  primitive  root  modulo  p  there  seems  to  be  no 
better  way  than  to  proceed  as  follows.  Try  g  =  2,  g  =  3,  etc  . . .  until  g  is  a 
primitive  root.  One  should  avoid  perfect  powers  since  if  g  =  g$,  then  if  g  is  a 
primitive  root,  so  is  go  which  has  already  been  tested. 

To  see  whether  g  is  a  primitive  root,  we  could  compute  the  order  of  g 
using  the  above  algorithm.  But  it  is  more  efficient  to  proceed  as  follows. 

Algorithm  1.4.4  (Primitive  Root).  Given  an  odd  prime  p,  this  algorithm  finds 
a  primitive  root  modulo  p. 

1.  [Initialize  a]  Set  a  <—  1  and  let  p—  1  =  p^p^2  •  •  -p^f  be  the  complete  factor¬ 
ization  of  p  —  1. 
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2.  [Initialize  check]  Set  a  <—  a  +  1  and  i  <—  1. 

3.  [Check  pi\  Compute  e  <-  a(p_1)/pi.  If  e  =  1  go  to  step  2.  Otherwise,  set 
i  <—  i  +  1. 

4.  [finished?]  If  i  >  k  output  a  and  terminate  the  algorithm,  otherwise  go  to  step 
3. 

Note  that  we  do  not  avoid  testing  prime  powers,  hence  this  simple  algo¬ 
rithm  can  still  be  improved  if  desired.  In  addition,  the  test  for  pi  =  2  can  be 
replaced  by  the  more  efficient  check  that  the  Legendre  symbol  (^)  is  equal  to 
— 1  (see  Algorithm  1.4.10  below). 

If  n  is  not  a  prime,  but  is  such  that  there  exists  a  primitive  root  modulo  n, 
we  could,  of  course,  use  the  above  two  algorithms  by  modifying  them  suitably. 
It  is  more  efficient  to  proceed  as  follows. 

First,  ifn  =  2orn  =  4,  g  =  n  —  lisa  primitive  root.  When  n  —  2a  is 
a  power  of  2  with  a  >  3,  (Z/nZ)*  is  not  cyclic  any  more,  but  is  isomorphic 
to  the  product  of  Z/2Z  with  a  cyclic  group  of  order  2a-2.  Then  g  =  5  is 
always  a  generator  of  this  cyclic  subgroup  (see  Exercise  14),  and  can  serve  as 
a  substitute  in  this  case  if  needed. 

When  n  =  pa  is  a  power  of  an  odd  prime,  with  a  >  2,  then  we  use  the 
following  lemma. 

Lemma  1.4.5.  Let  p  be  an  odd  prime,  and  let  g  be  a  primitive  root  modulo 
p.  Then  either  g  or  g  +  p  is  a  primitive  root  modulo  every  power  of  p. 

Proof.  For  any  m  we  have  mp  =  m  (mod  p),  hence  it  follows  that  for  every 
prime  l  dividing  p  —  1,  gpa  1(p-1)/z  =  gip-1)/1  ^  \  (mod  p).  So  for  g  to  be  a 
primitive  root,  we  need  only  that  gp "  ^  1  (mod  pa).  But  one  checks 

immediately  by  induction  that  xp  =  1  (mod  pa)  implies  that  x  =  1  (mod  pb) 
for  every  b  <  a  —  1.  Applying  this  to  x  =  gp °  2(p-1)  we  see  that  our  condition 
on  g  is  equivalent  to  the  same  condition  with  a  replaced  by  a  —  1,  hence  by 
induction  to  the  condition  gp~l  ^  1  (modp2).  But  if  gp~l  =  1  (mod  p2), 
then  by  the  binomial  theorem  ( g  -f -  p)p~l  =  1  —  pgp~2  ^  1  (modp2),  thus 
proving  the  lemma.  □ 

Therefore  to  find  a  primitive  root  modulo  pa  for  p  an  odd  prime  and  a  >  2, 
proceed  as  follows:  first  compute  g  a  primitive  root  modulo  p  using  Algorithm 
1.4.4,  then  compute  g\  —  pp_1  mod  p2.  If  g\  ^  1,  g  is  a  primitive  root  modulo 
pa  for  every  a,  otherwise  g  +  p  is. 

Finally,  note  that  when  p  is  an  odd  prime,  if  g  is  a  primitive  root  modulo 
pa  then  g  or  g  +  pa  (whichever  is  odd)  is  a  primitive  root  modulo  2pa. 
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1.4.2  The  Legendre- Jacobi-Kronecker  Symbol 

Let  p  be  an  odd  prime.  Then  it  is  easy  to  see  that  for  a  given  integer  a,  the 
congruence 

r\ 

x  =  a  (mod  p) 

can  have  either  no  solution  (we  say  in  this  case  that  a  is  a  quadratic  non¬ 
residue  mod  p),  one  solution  if  a  =  0  (mod  p),  or  two  solutions  (we  then  say 
that  a  is  a  quadratic  residue  mod  p) .  Define  the  Legendre  symbol  (|)  as  being 
—1  if  a  is  a  quadratic  non-residue,  0  if  a  =  0,  and  1  if  a  is  a  quadratic  residue. 
Then  the  number  of  solutions  modulo  p  of  the  above  congruence  is  1  +  (|) . 
Furthermore,  one  can  easily  show  that  this  symbol  has  the  following  properties 
(see  e.g.  [H-W]): 


Proposition  1.4.6. 

(1)  The  Legendre  symbol  is  multiplicative,  i.e. 


In  particular,  the  product  of  two  quadratic  non-residues  is  a  quadratic 
residue. 

(2)  We  have  the  congruence 

a(p- 1)/2  =  (modp). 

\pj 

(3)  There  are  as  many  quadratic  residues  as  non-residues  modp,  i.e.  (p—l)/2. 


We  will  see  that  the  Legendre  symbol  is  fundamental  in  many  prob¬ 
lems.  Thus,  we  need  a  way  to  compute  it.  One  idea  is  to  use  the  congruence 
a(p- 1)/2  =  (^  (mod  p).  Using  the  powering  Algorithm  1.2.1,  this  enables 

us  to  compute  the  Legendre  symbol  in  time  0(ln3p).  We  can  improve  on  this 
by  using  the  Legendre-Gauss  quadratic  reciprocity  law,  which  is  itself  a  result 
of  fundamental  importance: 


Theorem  1.4.7.  Let  p  be  an  odd  prime.  Then: 


(1) 


(2)  If  q  is  an  odd  prime  different  from  p,  then  we  have  the  reciprocity  law: 


(f)S) =(~i)(p~1K,~1,/4- 
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For  a  proof,  see  Exercises  16  and  18  and  standard  textbooks  (e.g.  [H-W], 
[Ire-Ros]). 

This  theorem  can  certainly  help  us  to  compute  Legendre  symbols  since 
(jj)  is  multiplicative  in  a  and  depends  only  on  a  modulo  p.  A  direct  use  of 
Theorem  1.4.7  would  require  factoring  all  the  numbers  into  primes,  and  this 
is  very  slow.  Luckily,  there  is  an  extension  of  this  theorem  which  takes  care  of 
this  problem.  We  first  need  to  extend  the  definition  of  the  Legendre  symbol. 


Definition  1.4.8.  We  define  the  Kronecker  (or  Kronecker- Jacobi)  symbol  (^) 
for  any  a  and  b  in  Z  in  the  following  way. 

(1)  7/6  =  0,  then  (^)  =  1  if  a  —  ±1,  and  is  equal  to  0  otherwise. 

(2)  For  b  ^  0,  write  b  =  where  the  p  are  not  necessarily  distinct  primes 
(including  p  =  2),  or  p  =  —  1  to  take  care  of  the  sign.  Then  we  set 


where  (^) 
define 


is  the  Legendre  symbol  defined  above  for  p  >  2,  and  where  we 


fa\  (  0,  if  a  is  even 

1^2,/  \  (— l)^2-1)/8,  if  a  is  odd. 


and  also 


a  \  _  (  1,  if  a>  0 

-1/  l~l,  ifa<  0. 


Then,  from  the  properties  of  the  Legendre  symbol,  and  in  particular  from 
the  reciprocity  law  1.4.7,  one  can  prove  that  the  Kronecker  symbol  has  the 
following  properties: 


Theorem  1.4.9. 

(1)  =0  if  and  only  if  (a,  6)  ^  1 

(2)  For  all  a,  6  and  c  we  have 


(  ah 


a 

be 


if  be 


(3)  6  >  0  being  fixed,  the  symbol  (|)  is  periodic  in  a  of  period  b  if  b  ^  2 
(mod  4),  otherwise  it  is  periodic  of  period  46. 

(4)  a/0  being  fixed  (positive  or  negative),  the  symbol  (^)  is  periodic  in  6  of 
period  |a|  if  a  =  0  or  1  (mod  4),  otherwise  it  is  periodic  of  period  4|a|. 

(5)  The  formulas  of  Theorem  1.4-7  are  still  true  if  p  and  q  are  only  supposed 
to  be  positive  odd  integers,  not  necessarily  prime. 
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Note  that  in  this  theorem  (as  in  the  rest  of  this  book) ,  when  we  say  that  a 
function  f(x)  is  periodic  of  period  6,  this  means  that  for  all  x,  f(x  +  b)  =  f(x), 
but  6  need  not  be  the  smallest  possible  period. 

Theorem  1.4.9  is  a  necessary  prerequisite  for  any  study  of  quadratic  fields, 
and  the  reader  is  urged  to  prove  it  by  himself  (Exercise  17). 

As  has  been  mentioned,  a  consequence  of  this  theorem  is  that  it  is  easy 
to  design  a  fast  algorithm  to  compute  Legendre  symbols,  and  more  generally 
Kronecker  symbols  if  desired. 

Algorithm  1.4.10  (Kronecker).  Given  a,  6  e  Z,  this  algorithm  computes  the 
Kronecker  symbol  (|)  (hence  the  Legendre  symbol  when  b  is  an  odd  prime). 

1.  [Test  b  equal  to  0]  If  b  =  0  then  output  0  if  |a|  ^  1,  1  if  |a|  =  1  and  terminate 
the  algorithm. 

2.  [Remove  2’s  from  6]  If  a  and  b  are  both  even,  output  0  and  terminate  the 
algorithm.  Otherwise,  set  v  0  and  while  b  is  even  set  v  <—  v  +  1  and 
b  «—  6/2.  Then  if  v  is  even  set  fc  <—  1,  otherwise  set  k  <—  (— l)(a  -1)/8  (by 

table  lookup,  not  by  computing  ( a 2  —  l)/8).  Finally  if  6  <  0  set  6  « - 6,  and 

if  in  addition  a  <  0  set  k  « - k. 

3.  [Finished?]  (Here  6  is  odd  and  6  >  0.)  If  a  =  0  then  output  0  if  6  >  1,  k  if 
6  =  1,  and  terminate  the  algorithm.  Otherwise,  set  v  <—  0  and  while  a  is  even 
do  v  <—  v  +  1  and  a  <—  a/2.  If  v  is  odd  set  k  <—  (— l)^2-1^8fc. 

4.  [Apply  reciprocity]  Set 


k*-{-  i)(“-1)(^-i)/4fc) 

(using  if  statements  and  no  multiplications),  and  then  r  <—  |a|,  a  <—  6  mod  r, 
6  <—  r  and  go  to  step  3. 

Remarks. 

(1)  As  mentioned,  the  expressions  (— 1)(°2-1)/8  and  (—  l)(a-1)(b-1)/4  should 
not  be  computed  as  powers,  even  though  they  are  written  this  way.  For 
example,  to  compute  the  first  expression,  set  up  and  save  a  table  tab2 
containing 

{0,1, 0,-1, 0,-1, 0,1}, 

and  then  the  formula  (— l)(a2-1)/8  =  tab2[a&7],  the  &  symbol  denot¬ 
ing  bitwise  and,  which  is  a  very  fast  operation  compared  to  multipli¬ 
cation  (note  that  a&7  is  equivalent  to  a  mod  8).  The  instruction  k  <— 
( — 1)(°— 1)(b— 1)/4/c  is  very  efficiently  translated  in  C  by 

if(a&b&2)  k=  -k; 

(2)  We  need  to  prove  that  the  algorithm  is  valid!  It  terminates  since,  because 
except  possibly  the  first  time,  at  the  beginning  of  step  3  we  have  0  <  6  <  a 
and  the  value  of  6  is  strictly  decreasing.  It  gives  the  correct  result  because 
of  the  following  lemma  which  is  an  immediate  corollary  of  Theorem  1.4.9: 
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Lemma  1.4.11.  If  a  and  b  are  odd  integers  with  b  >  0  (but  not  necessarily 
a  >  0 ),  then  we  have 


(_l)(a-l)(6-l)/4^A^ 

VH/ 


(3)  We  may  want  to  avoid  cleaning  out  the  powers  of  2  in  step  3  at  each  pass 
through  the  loop.  We  can  do  this  by  slightly  changing  step  4  so  as  to 
always  end  up  with  an  odd  value  of  a.  This  however  may  have  disastrous 
effects  on  the  running  time,  which  may  become  exponential  instead  of 
polynomial  time  (see  [Bac-Sha]  and  Exercise  24). 

Note  that  Algorithm  1.4.10  can  be  slightly  improved  (by  a  small  constant 
factor)  by  adding  the  following  statement  at  the  end  of  the  assignments  of 
step  4,  before  going  back  to  step  3:  If  a  >  r/2,  then  a  =  a  —  r.  This  simply 
means  that  we  ask,  not  for  the  residue  of  a  mod  r  which  is  between  0  and 
r  —  1,  but  for  the  one  which  is  least  in  absolute  value,  i.e.  between  —r/2  and 
r/2.  This  modification  could  also  be  used  in  Euclid’s  algorithms  if  desired,  if 
tests  suggest  that  it  is  faster  in  practice. 

One  can  also  use  the  binary  version  of  Euclid’s  algorithm  to  compute 
Kronecker  symbols.  Since,  in  any  case,  the  prime  2  plays  a  special  role,  this 
does  not  really  increase  the  complexity,  and  gives  the  following  algorithm. 

Algorithm  1.4.12  (Kronecker-Binary).  Given  a,  6  €  Z,  this  algorithm  com¬ 
putes  the  Kronecker  symbol  (|)  (hence  the  Legendre  symbol  when  b  is  an  odd 
prime). 

1.  [Test  6  =  0]  If  6  =  0  then  output  0  if  \a\  ^  1,  1  if  \a\  =  1  and  terminate  the 
algorithm. 

2.  [Remove  2's  from  6]  If  a  and  6  are  both  even,  output  0  and  terminate  the 

algorithm.  Otherwise,  set  v  <—  0  and  while  6  is  even  set  v  *—  v  -I-  1  and 

6  4—  6/2.  Then  if  v  is  even  set  k  <—  1,  otherwise  set  k  «—  (— l)(a2-1)/8  (by 

table  lookup,  not  by  computing  (a2  —  l)/8).  Finally,  if  6  <  0  set  6  « - 6,  and 

if  in  addition  a  <  0  set  k  « - k. 

3.  [Reduce  size  once]  (Here  6  is  odd  and  6  >  0.)  Set  a  «—  a  mod  6. 

4.  [Finished?]  If  a  =  0,  output  0  if  6  >  1,  k  if  6  =  1,  and  terminate  the  algorithm. 

5.  [Remove  powers  of  2]  Set  v  <—  0  and,  while  a  is  even,  set  v  <—  v  +  1  and 

a  <—  a/2.  If  v  is  odd,  set  k  «—  (— l)^2-1^/8fc. 

6.  [Subtract  and  apply  reciprocity]  (Here  a  and  6  are  odd.)  Set  r  <—  6— a.  If  r  >  0, 

then  set  k  <—  (— l)^-1)^-1)/4/;  (using  if  statements),  b  *—  a  and  a  <—  r,  else 
set  a  < - r.  Go  to  step  4. 

Note  that  we  cannot  immediately  reduce  a  modulo  6  at  the  beginning  of 
the  algorithm.  This  is  because  when  6  is  even  the  Kronecker  symbol  (^)  is  not 
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periodic  of  period  6  in  general,  but  only  of  period  46.  Apart  from  this  remark, 
the  proof  of  the  validity  of  this  algorithm  follows  immediately  from  Theorem 
1.4.10  and  the  validity  of  the  binary  algorithm.  □ 


The  running  time  of  all  of  these  Legendre  symbol  algorithms  has  the  same 
order  of  magnitude  as  Euclid’s  algorithm,  i.e.  0(\n2N)  when  carefully  pro¬ 
grammed,  where  N  is  an  upper  bound  on  the  size  of  the  inputs  a  and  6.  Note 
however  that  the  constants  will  be  different  because  of  the  special  treatment 
of  even  numbers. 
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We  now  come  to  a  slightly  more  specialized  question.  Let  p  be  an  odd  prime 
number,  and  suppose  that  we  have  just  checked  that  (®)  =  1  using  one  of  the 
algorithms  given  above.  Then  by  definition,  there  exists  an  x  such  that  x2  =  a 
(mod  p).  How  do  we  find  x?  Of  course,  a  brute  force  search  would  take  time 
0(p)  and,  even  for  p  moderately  large,  is  out  of  the  question.  We  need  a  faster 
algorithm  to  do  this.  At  this  point  the  reader  might  want  to  try  and  find  one 
himself  before  reading  further.  This  would  give  a  feel  for  the  difficulty  of  the 
problem.  (Note  that  we  will  be  considering  much  more  difficult  and  general 
problems  later  on,  so  it  is  better  to  start  with  a  simple  one.) 

There  is  an  easy  solution  which  comes  to  mind  that  works  for  half  of  the 
primes  p,  i.e.  primes  p  =  3  (mod  4).  I  claim  that  in  this  case  a  solution  is 
given  by 

x  =  a(p+1)/4  (mod  p) , 

the  computation  being  done  using  the  powering  Algorithm  1.2.1.  Indeed,  since 
a  is  a  quadratic  residue,  we  have  cS-p~1^2  =  1  (mod  p)  hence 

x2  =  a(p+1)/2  =  a  •  aSp~1^2  =  a  (mod  p) 


as  claimed. 

A  less  trivial  solution  works  for  half  of  the  remaining  primes,  i.e.  primes 
p  =  5  (mod  8).  Since  we  have  a^p~1^2  =  1  (mod  p)  and  since  Fp  =  Z/pZ  is  a 
field,  we  must  have 

a(p- 1)/4  -;=  (mod  p). 

Now,  if  the  sign  is  + ,  then  the  reader  can  easily  check  as  above  that 

x  =  a(p+3)/8  (mod  p) 

is  a  solution.  Otherwise,  using  p  =  5  (mod  8)  and  Theorem  1.4.7,  we  know 
that  2(p-1)/2  =  —1  (mod  p).  Then  one  can  check  that 

x  =  2 a  -  (4 a)(p_5)/8  (mod  p) 


is  a  solution. 
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Thus  the  only  remaining  case  is  p  =  1  (mod  8).  Unfortunately,  this  is  the 
hardest  case.  Although,  by  methods  similar  to  the  one  given  above,  one  could 
give  an  infinite  number  of  families  of  solutions,  this  would  not  be  practical  in 
any  sense. 


1.5.1  The  Algorithm  of  Tonelli  and  Shanks 

There  are  essentially  three  algorithms  for  solving  the  above  problem.  One  is 
a  special  case  of  a  general  method  for  factoring  polynomials  modulo  p,  which 
we  will  study  in  Chapter  3.  Another  is  due  to  Schoof  and  it  is  the  only  non- 
probabilistic  polynomial  time  algorithm  known  for  this  problem.  It  is  quite 
complex  since  it  involves  the  use  of  elliptic  curves  (see  Chapter  7),  and  its 
practicality  is  not  clear,  although  quite  a  lot  of  progress  has  been  achieved 
by  Atkin.  Therefore,  we  will  not  discuss  it  here.  The  third  and  last  algorithm 
is  due  to  Tonelli  and  Shanks,  and  although  probabilistic,  it  is  quite  efficient. 
It  is  the  most  natural  generalization  of  the  special  cases  studied  above.  We 
describe  this  algorithm  here. 

We  can  always  write 


p  —  1  =  2e  •  q,  with  q  odd. 

The  multiplicative  group  (Z/pZ)*  is  isomorphic  to  the  (additive)  group  Z/(p- 
1)Z,  hence  its  2-Sylow  subgroup  G  is  a  cyclic  group  of  order  2e.  Assume  that 
one  can  find  a  generator  z  of  G.  The  squares  in  G  are  the  elements  of  order 
dividing  2e_1,  and  are  also  the  even  powers  of  2.  Hence,  if  a  is  a  quadratic 
residue  mod  p,  then,  since 

0<p-l)/2  =  (a«)(2—)  =  !  (mod  p)i 

b  =  aq  mod  p  is  a  square  in  G,  so  there  exists  an  even  integer  k  with  0  <  k  <  2e 
such  that 

aqzk  =  1  inG. 

If  one  sets 

Z  =  0<*+1>/V=/2, 

it  is  clear  that  x2  =  a  (mod  p),  hence  x  is  the  answer.  To  obtain  an  algorithm, 
we  need  to  solve  two  problems:  finding  a  generator  2  of  G,  and  computing  the 
exponent  k.  Although  very  simple  to  solve  in  practice,  the  first  problem  is  the 
probabilistic  part  of  the  algorithm.  The  best  way  to  find  2  is  as  follows:  choose 
at  random  an  integer  n,  and  compute  z  =  nq  mod  p.  Then  it  is  clear  that  2  is  a 
generator  of  G  (i.e.  z2  =  —  1  in  G)  if  and  only  if  n  is  a  quadratic  non-residue 
mod  p,  and  this  occurs  with  probability  close  to  1/2  (exactly  (p  —  l)/(2p)). 
Therefore,  in  practice,  we  will  find  a  non-residue  very  quickly.  For  example, 
the  probability  that  one  does  not  find  one  after  20  trials  is  lower  than  10-6. 
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Finding  the  exponent  k  is  slightly  more  difficult,  and  in  fact  is  not  needed 
explicitly  (only  a^q+1^2zk^2  is  needed).  The  method  is  explained  in  the  fol¬ 
lowing  complete  algorithm,  which  in  this  form  is  due  to  Shanks. 

Algorithm  1.5.1  (Square  Root  Mod  p).  Let  p  be  an  odd  prime,  and  a  e  Z. 
Write  p  —  1  =  2e  •  q  with  q  odd.  This  algorithm,  either  outputs  an  x  such  that 
x2  =  a  (mod  p),  or  says  that  such  an  x  does  not  exist  (i.e.  that  a  is  a  quadratic 
non-residue  mod  p). 

1.  [Find  generator]  Choose  numbers  n  at  random  until  (”)  =  —1.  Then  set 
z  *—  nq  (mod  p). 

2.  [Initialize]  Set  y  <—  z,  r  <—  e,  x  <—  aSq~1^2  (mod  p),  6  <—  ax*  (modp), 
x  <—  ax  (mod  p). 

3.  [Find  exponent]  If  b  =  1  (mod  p),  output  x  and  terminate  the  algorithm. 
Otherwise,  find  the  smallest  m  >  1  such  that  b2™  =  1  (mod  p).  If  m  =  r, 
output  a  message  saying  that  a  is  not  a  quadratic  residue  mod  p. 

4.  [Reduce  exponent]  Set  t  «—  y2*  m  \  y  <—  t2,  r  <—  m,  x  +—  xt,  b  <—  by  (all 
operations  done  modulo  p),  and  go  to  step  3. 

Note  that  at  the  beginning  of  step  3  we  always  have  the  congruences 
modulo  p: 

ab  =  x2 ,  y2r  =  — 1,  b2r  1  =  1. 

If  Gr  is  the  subgroup  of  G  whose  elements  have  an  order  dividing  2r,  then  this 
says  that  y  is  a  generator  of  Gr  and  that  b  is  in  Gr- 1 ,  in  other  words  that  b  is 
a  square  in  Gr.  Since  r  is  strictly  decreasing  at  each  loop  of  the  algorithm,  the 
number  of  loops  is  at  most  e.  When  r  <  1  we  have  6=1  hence  the  algorithm 
terminates,  and  the  above  congruence  shows  that  x  is  one  of  the  square  roots 
of  o  mod  p. 

It  is  easy  to  show  that,  on  average,  steps  3  and  4  will  require  e2/4  mul¬ 
tiplications  mod  p,  and  at  most  e2.  Hence  the  expected  running  time  of  this 
algorithm  is  0(ln4p).  □ 

Remarks. 

(1)  In  the  algorithm  above,  we  have  not  explicitly  computed  the  value  of  the 
exponent  k  such  that  aqzk  =  1  but  it  is  easy  to  do  so  if  needed  (see 
Exercise  25). 

(2)  As  already  mentioned,  Shanks’s  algorithm  is  probabilistic,  although  the 
only  non-deterministic  part  is  finding  a  quadratic  non-residue  mod  p, 
which  seems  quite  a  harmless  task.  One  could  try  making  it  completely  de¬ 
terministic  by  successively  trying  n  =  2,3...  in  step  1  until  a  non-residue 
is  found.  This  is  a  reasonable  method,  but  unfortunately  the  most  pow¬ 
erful  analytical  tools  only  allow  us  to  prove  that  the  smallest  quadratic 
non-residue  is  0(pa )  for  a  non-zero  a.  Thus,  this  deterministic  algorithm, 
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although  correct,  may  have,  as  far  as  we  know,  an  exponential  running 
time. 

If  one  assumes  the  Generalized  Riemann  Hypothesis  (GRH),  then 
one  can  prove  much  more,  i.e.  that  the  smallest  quadratic  non-residue 
is  0(ln2p),  hence  this  gives  a  polynomial  running  time  (in  0(ln4p)  since 
computing  a  Legendre  symbol  is  in  0(ln2p)).  In  fact,  Bach  [Bach]  has 
proved  that  for  p  >  1000  the  smallest  non-residue  is  less  than  2  ln2p.  In 
any  case,  in  practice  the  probabilistic  method  and  the  sequential  method 
(i.e.  choosing  n  =  2,3,  ...)  give  essentially  equivalent  running  times. 

(3)  If  m  is  an  integer  whose  factorization  into  a  product  of  prime  powers 
is  completely  known,  it  is  easy  to  write  an  algorithm  to  solve  the  more 
general  problem  x2  =  a  (mod  m)  (see  Exercise  30). 


1.5.2  The  Algorithm  of  Cornacchia 

A  well  known  theorem  of  Fermat  (see  [H-W])  says  that  an  odd  prime  p  is  a  sum 
of  two  squares  if  and  only  if  p  =  1  mod  4,  i.e.  if  and  only  if  —1  is  a  quadratic 
residue  mod  p.  Furthermore,  up  to  sign  and  exchange,  the  representation  of  p 
as  a  sum  of  two  squares  is  unique.  Thus,  it  is  natural  to  ask  for  an  algorithm 
to  compute  x  and  y  such  that  x2  +  y2  =  p  when  p  =  1  mod  4.  More  generally, 
given  a  positive  integer  d  and  an  odd  prime  p,  one  can  ask  whether  the  equation 

x2  +  dy 2  ~  p 

has  a  solution,  and  for  an  algorithm  to  find  x  and  y  when  they  exist.  There  is 
a  pretty  algorithm  due  to  Cornacchia  which  solves  both  problems  simultane¬ 
ously.  For  the  beautiful  and  deep  theory  concerning  the  first  problem,  which 
is  closely  related  to  complex  multiplication  (see  Section  7.2)  see  [Cox]. 

First,  note  that  a  necessary  condition  for  the  existence  of  a  solution  is  that 
—d  be  a  quadratic  residue  modulo  p.  Indeed,  we  clearly  must  have  y  ^  0  mod  p 
hence 

(xy-1)2  =—d  mod  p , 

where  y~l  denotes  the  inverse  of  y  modulo  p.  We  therefore  assume  that  this 
condition  is  satisfied.  By  using  Algorithm  1.5.1  we  can  find  an  integer  xo  such 
that 

Xq  =  —d  mod  p 

and  we  may  assume  that  p/2  <  xo  <  p.  Cornacchia’s  algorithm  tells  us  that 
we  should  simply  apply  Euclid’s  Algorithm  1.3.1  to  the  pair  (a,  b)  =  (p,x q) 
until  we  obtain  a  number  b  such  that  b  <y/p.  Then  we  set  c  <—  ( p  —  b2)/d ,  and 
if  c  is  the  square  of  an  integer  s,  the  equation  x2  +  dy2  =  p  has  (x,  y)  =  (6,  s ) 
as  (essentially  unique)  solution,  otherwise  it  has  no  solution.  This  leads  to  the 
following  algorithm. 

Algorithm  1.5.2  (Cornacchia).  Let  p  be  a  prjme  number  and  d  be  an  integer 
such  that  0  <  d  <  p.  This  algorithm  either  outputs  an  integer  solution  (x,  y)  to 
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the  Diophantine  equation  +  dy2  =  p,  or  says  that  such  a  solution  does  not 
exist. 

1.  [Test  if  residue]  Using  Algorithm  1.4.12  compute  k  <—  (^r).  If  k  =  —  1,  say 
that  the  equation  has  no  solution  and  terminate  the  algorithm. 

2.  [Compute  square  root]  Using  Shanks's  Algorithm  1.5.1,  compute  an  integer  xo 
such  that  Xq  =  —  d  mod  p,  and  change  xo  into  ±£0  +  kp  so  that  p/2  <  xq  <  p. 
Then  set  a  <—  p,  b  <—  xo  and  l  <—  [^/p\ . 

3.  [Euclidean  algorithm]  If  b>  l,  set  r<-omod  6,  a<—  b,  b<^r  and  go  to  step 
3. 

4.  [Test  solution]  If  d  does  not  divide  p  —  b2  or  if  c  =  ( p  —  b2)/d  is  not  the  square 
of  an  integer  (see  Algorithm  1.7.3),  say  that  the  equation  has  no  solution  and 
terminate  the  algorithm.  Otherwise,  output  {x,y)  =  (b,  s/c)  and  terminate  the 
algorithm. 

Let  us  give  a  numerical  example.  Assume  that  we  want  to  solve  x2  +  2 y2  = 
97.  In  step  1,  we  first  compute  (^)  by  Algorithm  1.4.12  (or  directly  since  here 
it  is  easy) ,  and  find  that  —2  is  a  quadratic  residue  mod  97.  Thus  the  equation 
may  have  a  solution  (and  in  fact  it  must  have  one  since  the  class  number 
of  the  ring  of  integers  of  Q(\/2)  is  equal  to  1,  see  Chapter  5).  In  step  2,  we 
compute  xo  such  that  Xq  =  —  2  mod  97  using  Algorithm  1.5.1.  Using  n  =  5 
hence  2  =  28,  we  readily  find  Xo  =  17.  Then  the  Euclidean  algorithm  in  step 
3  gives  97  =  5  ■  17  +  12,  17  =  1  •  12  +  5  and  hence  b  =  5  is  the  first  number 
obtained  in  the  Euclidean  stage,  which  is  less  than  or  equal  to  the  square  root 
of  97.  Now  c  =  (97  —  52)/2  =  36  is  a  square,  hence  a  solution  (unique)  to  our 
equation  is  (x,  y)  =  (5,6).  Of  course,  this  could  have  been  found  much  more 
quickly  by  inspection,  but  for  larger  numbers  we  need  to  use  the  algorithm  as 
written. 

The  proof  of  this  algorithm  is  not  really  difficult,  but  is  a  little  painful 
so  we  refer  to  [Mor-Nic].  A  nice  proof  due  to  H.  W.  Lenstra  can  be  found 
in  [Scho2].  Note  also  that  Algorithm  1.3.14  above  can  also  be  used  to  solve 
the  problem,  and  the  proof  that  we  gave  of  the  validity  of  that  algorithm  is 
similar,  but  simpler. 

When  working  in  complex  quadratic  orders  of  discriminant  D  <  0  con¬ 
gruent  to  0  or  1  modulo  4  (see  Chapter  5),  it  is  more  natural  to  solve  the 
equation 

x2  +  \D\y2  =  4 p 

where  p  is  an  odd  prime  (we  will  for  example  need  this  in  Chapter  9). 

If  4  |  D,  we  must  have  2  |  x,  hence  the  equation  is  equivalent  to  x,2+  dy2  = 
p  with  x'  =  x/2  and  d  =  \D\/A,  which  we  can  solve  by  using  Algorithm  1.5.2. 

If  D  =  1  (mod  8),  we  must  have  x2  —  y2  =  4  (mod  8)  and  this  is  possible 
only  when  x  and  y  are  even,  hence  our  equation  is  equivalent  to  x/2  +  dy'2  =  p 
with  x'  =  x/2 ,  y'  =  y/2  and  d  =  \D\,  which  is  again  solved  by  Algorithm  1.5.2 
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Finally,  if  D  =  5  (mod  8),  the  parity  of  x  and  y  is  not  a  priori  determined. 
Therefore  Algorithm  1.5.2  cannot  be  applied  as  written.  There  is  however  a 
modification  of  Algorithm  1.5.2  which  enables  us  to  treat  this  problem. 

For  this  compute  Xo  such  that  Xq  =  D  (mod  p)  using  Algorithm  1.5.1, 
and  if  necessary  change  xo  into  p  —  x o  so  that  in  fact  Xq  =  D  (mod  4 p).  Then 
apply  the  algorithm  as  written,  starting  with  (a,  b)  =  (2p,  xo),  and  stopping 
as  soon  as  b  <  l,  where  l  =  [2^/pJ .  Then,  as  in  [Mor-Nic]  one  can  show  that 
this  gives  the  (essentially  unique)  solution  to  x2  +  \D\y2  =  Ap.  This  gives  the 
following  algorithm. 

Algorithm  1.5.3  (Modified  Cornacchia).  Let  p  be  a  prime  number  and  D 
be  a  negative  integer  such  that  D  =  0  or  1  modulo  4  and  \D\  <  4 p.  This 
algorithm  either  outputs  an  integer  solution  (x,y)  to  the  Diophantine  equation 
x2  +  \D\y2  =  4 p,  or  says  that  such  a  solution  does  not  exist. 

1.  [Case  p  =  2]  If  p  =  2  do  as  follows.  If  D  +  8  is  the  square  of  an  integer,  output 
( y/D  +  8, 1),  otherwise  say  that  the  equation  has  no  solution.  Then  terminate 
the  algorithm. 

2.  [Test  if  residue]  Using  Algorithm  1.4.12  compute  k  <—  (^).  If  k  =  —1,  say 
that  the  equation  has  no  solution  and  terminate  the  algorithm. 

3.  [Compute  square  root]  Using  Shanks’s  Algorithm  1.5.1,  compute  an  integer 

xo  such  that  Xq  =  D  modp  and  0  <  xo  <  p,  and  if  xo  ^  D  (mod  2),  set 

x0  <—  P  ~  x0.  Finally,  set  a  <—  2p,  b  <—  x0  and  /  <—  [2y^J . 

4.  [Euclidean  algorithm]  If  b  >  l,  set  r  <—  a  mod  b,  a  <—  b,  b  *—  r  and  go  to  step 

4. 

5.  [Test  solution]  If  \D\  does  not  divide  4 p  —  62  or  if  c  =  (4 p  —  b2)/\D\  is  not 
the  square  of  an  integer  (see  Algorithm  1.7.3),  say  that  the  equation  has  no 
solution  and  terminate  the  algorithm.  Otherwise,  output  (x,y)  =  (b,y/c)  and 
terminate  the  algorithm. 


1.6  Solving  Polynomial  .Equations  Modulo  p 

We  will  consider  more  generally  in  Chapter  3  the  problem  of  factoring  poly¬ 
nomials  mod  p.  If  one  wants  only  to  find  the  linear  factors,  i.e.  the  roots  mod 
p,  then  for  small  degrees  one  can  use  the  standard  formulas.  To  avoid  writing 
congruences  all  the  time,  we  implicitly  assume  that  we  work  in  Fp  =  Z/pZ. 

In  degree  one,  the  solution  of  the  equation  ax  +  b  =  0  is  x  =  —  6  •  a-1, 
where  a-1  is  computed  using  Euclid’s  extended  algorithm. 

In  degree  two,  the  solutions  of  the  equation  ax2  +bx  +  c  =  0  where  a  ^  0 
and  p  7^  2,  are  given  as  follows.  Set  D  =  b2  —  4 ac.  If  (^)  =  —  1,  then  there 

are  no  solutions  in  Fp.  If  (^)  =  0,  i.e.  if  p  |  D,  then  there  is  a  unique  (double) 
solution  given  by  x  =  —  b  ■  (2 a)-1.  Finally,  if  {—)  =  1,  there  are  two  solutions, 
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obtained  in  the  following  way:  compute  an  s  such  that  s2  =  D  using  one  of 
the  algorithms  of  the  preceding  section.  Then  the  solutions  are  as  usual 

(— b  ±  s )  •  (2a)-1. 

In  degree  three,  Cardano’s  formulas  can  be  used  (see  Exercise  28  of  Chap¬ 
ter  3).  There  are  however  two  difficulties  which  must  be  taken  care  of.  The 
first  is  that  we  must  find  an  algorithm  to  compute  cube  roots.  This  can  be 
done  in  a  manner  similar  to  the  case  of  square  roots.  The  second  difficulty  lies 
in  the  handling  of  square  roots  when  these  square  roots  are  not  in  Fp  (they  are 
then  in  F^).  This  is  completely  analogous  to  handling  complex  numbers  when 
a  real  cubic  equation  has  three  real  roots.  The  reader  will  find  it  an  amusing 
exercise  to  try  and  iron  out  all  these  problems  (see  Exercise  28).  Otherwise, 
see  [Wil-Zar]  and  [Mori],  who  also  gives  the  analogous  recipes  for  degree  four 
equations  (note  that  for  computing  fourth  roots  one  can  simply  compute  two 
square  roots). 

In  degree  5  and  higher,  the  general  equations  have  a  non-solvable  Galois 
group,  hence  as  in  the  complex  case,  no  special-purpose  algorithms  are  known, 
and  one  must  rely  on  general  methods,  which  are  slower.  These  methods  will 
be  seen  in  Section  3.4,  to  which  we  refer  for  notations  and  definitions,  but  in 
the  special  case  of  root  finding,  the  algorithm  is  much  simpler.  We  assume 
p  >  2  since  for  p  =  2  there  are  just  two  values  to  try. 

Algorithm  1.6.1  (Roots  Mod  p).  Given  a  prime  number  p  >  3  and  a  polyno¬ 
mial  P  €  Fp[X],  this  algorithm  outputs  the  roots  of  P  in  Fp.  This  algorithm  will 
be  called  recursively,  and  it  is  understood  that  all  the  operations  are  done  in  Fp. 

1.  [Isolate  roots  in  Fp]  Compute  A(X)  <—  ( Xp  -  X,P(X))  as  explained  below, 
[f  A(0)  =  0,  output  0  and  set  A(X j  <—  A(X)JX. 

2.  [Small  degree?]  If  deg(A)  =  0,  terminate  the  algorithm.  If  deg(A)  =  1,  and 
A{X)  —  a\X+<iQ,  output  —  do/di  and  terminate  the  algorithm.  If  deg(A)  =  2 
and  A(X)  =  CL2X2  +  a\X  +  ao,  set  d  <—  a2  —  4a0a2.  compute  e  <—  y/d  using 
Algorithm  1.5.1,  output  (— a\  +  e)/(2a2)  and  (— a\  —  e)/(2a2),  and  terminate 
the  algorithm.  (Note  that  e  will  exist.) 

3.  [Random  splitting]  Choose  a  random  a  €  Fp,  and  compute  B{X)  <—  ((X  + 

a)(p-i)/2  _  A(X))  as  explained  below.  If  deg(J3)  =  0  or  deg(£?)  =  deg(A), 

go  to  step  3. 

4.  [Recurse]  Output  the  roots  of  B  and  AJB  using  the  present  algorithm  recur¬ 
sively  (skipping  step  1),  and  terminate  the  algorithm. 

Proof.  The  elements  of  Fp  are  the  elements  x  of  an  algebraic  closure  which 
satisfy  xp  =  x.  Hence,  the  polynomial  A  computed  in  step  1  is,  up  to  a 
constant  factor,  equal  to  the  product  of  the  X  —  x  where  the  x  are  the  roots 
of  P  in  Fp.  Step  3  then  splits  the  roots  x  in  two  parts:  the  roots  such  that 
x  +  a  is  a  quadratic  residue  mod  p,  and  the  others.  Since  a  is  random,  this 
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has  approximately  one  chance  in  2deg^^  1  of  not  splitting  the  polynomial  A 

into  smaller  pieces,  and  this  shows  that  the  algorithm  is  valid.  □ 

Implementation  Remarks. 

(1)  step  2  can  be  simplified  by  not  taking  into  account  the  case  of  degree 
2,  but  this  gives  a  slightly  less  efficient  algorithm.  Also,  if  step  2  is  kept 
as  it  is,  it  may  be  worthwhile  to  compute  once  and  for  all  the  quadratic 
non-residue  mod  p  which  is  needed  in  Algorithm  1.5.1. 

(2)  When  we  are  asked  to  compute  a  GCD  of  the  form  gcd(un  —  b,  c),  we 
must  not  compute  un  —  6,  but  instead  we  compute  d  *—  un  mod  c  using 
the  powering  algorithm.  Then  we  have  gcd(un  —  6,c)  =  gcd(d  —  6,  c). 
In  addition,  since  u  =  X  +  a  is  a  very  simple  polynomial,  the  left-right 
versions  of  the  powering  algorithm  (Algorithms  1.2.3  and  1.2.4)  are  more 
advantageous  here. 

(3)  When  p  is  small,  and  in  particular  when  p  is  smaller  than  the  degree 
of  A(X),  it  may  be  faster  to  simply  test  all  values  X  =  0, . . .  ,p  —  1. 
Thus,  the  above  algorithm  is  really  useful  when  p  is  not  too  small.  In 
that  case,  it  may  be  faster  to  compute  gcd(X^p-1^2  —  1,  A(X  —  a))  than 
gcd((X  +  a)(p-1^2  —  1,A(X)). 


1.7  Power  Detection 

In  many  algorithms,  it  is  necessary  to  detect  whether  a  number  is  a  square  or 
more  generally  a  perfect  power,  and  if  it  is,  to  compute  the  root.  We  consider 
here  the  three  most  frequent  problems  of  this  sort  and  give  simple  arithmetic 
algorithms  to  solve  them.  Of  course,  to  test  whether  n  =  mk ,  you  can  always 
compute  the  nearest  integer  to  elnn//fc  by  transcendental  means,  and  see  if  the 
kth  power  of  that  integer  is  equal  to  n.  This  needs  to  be  tried  only  for  k  <  lg  n. 
This  is  clearly  quite  inefficient,  and  also  requires  the  use  of  transcendental 
functions,  so  we  turn  to  better  methods. 


1.7.1  Integer  Square  Roots 

We  start  by  giving  an  algorithm  which  computes  the  integer  part  of  the  square 
root  of  any  positive  integer  n.  It  uses  a  variant  of  Newton’s  method,  but  works 
entirely  with  integers.  The  algorithm  is  as  follows. 

Algorithm  1.7.1  (Integer  Square  Root).  Given  a  positive  integer  n,  this 
algorithm  computes  the  integer  part  of  the  square  root  of  n,  i.e.  the  number  m 
such  that  m2  <n<(m  +  l)2. 

1.  [Initialize]  Set  x  <—  n  (see  discussion). 

2.  [Newtonian  step]  Set  y  *—  [(x  4-  [n/#J)/2J  using  integer  divides  and  shifts. 
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3.  [Finished?]  If  y  <  x  set  x  *—  y  and  go  to  step  2.  Otherwise,  output  x  and 
terminate  the  algorithm. 

Proof.  By  step  3,  the  value  of  x  is  strictly  decreasing,  hence  the  algorithm 
terminates.  We  must  show  that  the  output  is  correct.  Let  us  set  q  =  \_y/n\ . 

Since  ( t  +  n/t)/2  >  n  for  any  positive  real  value  of  t,  it  is  clear  that 
the  inequality  x  >  q  is  satisfied  throughout  the  algorithm  (note  that  it  is  also 
satisfied  also  after  the  initialization  step).  Now  assume  that  the  termination 
condition  in  step  3  is  satisfied,  i.e.  that  y  =  \_(x  +  njx){2\  >  x.  We  must  show 
that  x  =  q.  Assume  the  contrary,  i.e.  that  x  >  q  +  1.  Then, 


x  +  n/x 

_  <r  — 

njx  —  x 

3 

1 

to 

2 

—  Ju  — 

2 

2x  J 

Since  x  >  q  +  1  >  y/n,  we  have  n  —  x2  <  0,  hence  y  —  x  <  0  contradiction. 

This  shows  the  validity  of  the  algorithm.  □ 

Remarks. 

(1)  We  have  written  the  formula  in  step  2  using  the  integer  part  function 
twice  to  emphasize  that  every  operation  must  be  done  using  integer  arith¬ 
metic,  but  of  course  mathematically  speaking,  the  outermost  one  would 
be  enough. 

(2)  When  actually  implementing  this  algorithm,  the  initialization  step  must 
be  modified.  As  can  be  seen  from  the  proof,  the  only  condition  which  must 
be  satisfied  in  the  initialization  step  is  that  x  be  greater  or  equal  to  the 
integer  part  of  \fn.  One  should  try  to  initialize  x  as  close  as  possible  to 
this  number.  For  example,  after  a  O(lnlnn)  search,  as  in  the  left-right 
binary  powering  Algorithm  1.2.2,  one  can  find  e  such  that  2 e  <n  <  2e+1. 
Then,  one  can  take  x  <—  2  L(e+2)/2J .  Another  option  is  to  compute  a  single 
precision  floating  point  approximation  to  the  square  root  of  n  and  to  take 
the  ceiling  of  that.  The  choice  between  these  options  is  machine  dependent. 

(3)  Let  us  estimate  the  running  time  of  the  algorithm.  As  written,  we  will 
spend  a  lot  of  time  essentially  dividing  £  by  2  until  we  are  in  the  right 
ball-park,  and  this  requires  O(lnn)  steps,  hence  0(ln3n)  running  time. 
However,  if  care  is  taken  in  the  initialization  step  as  mentioned  above,  we 
can  reduce  this  to  the  usual  number  of  steps  for  a  quadratically  convergent 
algorithm,  i.e.  O (In Inn).  In  addition,  if  the  precision  is  decreased  at  each 
iteration,  it  is  not  difficult  to  see  that  one  can  obtain  an  algorithm  which 
runs  in  0(lnzn)  bit  operations,  hence  only  a  constant  times  slower  than 
multiplication /division . 


1.7.2  Square  Detection 

Given  a  positive  integer  n,  we  want  to  determine  whether  n  is  a  square  or 
not.  One  method  of  course  would  be  to  compute  the  integer  square  root  of 
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n  using  Algorithm  1.7.1,  and  to  check  whether  n  is  equal  to  the  square  of 
the  result.  This  is  far  from  being  the  most  efficient  method.  We  could  also 
use  Exercise  22  which  says  that  a  number  is  a  square  if  and  only  if  it  is  a 
quadratic  residue  modulo  every  prime  not  dividing  it,  and  compute  a  few 
Legendre  symbols  using  the  algorithms  of  Section  1.4.2.  We  will  use  a  variant 
of  this  method  which  replaces  Legendre  symbol  computation  by  table  lookup. 
One  possibility  is  to  use  the  following  algorithm. 

Precomputations  1.7.2.  This  is  to  be  done  and  stored  once  and  for  all. 

1.  [Fill  11]  For  k  =  0  to  10  set  gll [/c]  <—  0.  Then  for  k  =  0  to  5  set  qll[k2  mod 
ii]  <- 1. 

2.  [Fill  63]  For  k  =  0  to  62  set  q63[k]  <—  0.  Then  for  k  =  0  to  31  set  q63[k2  mod 

63]  1. 

3.  [Fill  64]  For  k  =  0  to  63  set  q64[k]  <—  0.  Then  for  k  =  0  to  31  set  q64[k2  mod 

64]  1. 

4.  [Fill  65]  For  k  =  0  to  64  set  g65[fc]  <—  0.  Then  for  k  =  0  to  32  set  q65[k2  mod 

65]  <-  1. 

Once  the  precomputations  are  made,  the  algorithm  is  simply  as  follows. 

Algorithm  1.7.3  (Square  Test).  Given  a  positive  integer  n,  this  algorithm 
determines  whether  n  is  a  square  or  not,  and  if  it  is,  outputs  the  square  root  of 
n.  We  assume  that  the  precomputations  1.7.2  have  been  made. 

1.  [Test  64]  Set  t  <—  n  mod  64  (using  if  possible  only  an  and  statement).  If 
q64[t]  =  0,  n  is  not  a  square  and  terminate  the  algorithm.  Otherwise,  set 
r  <—  n  mod  45045. 

2.  [Test  63]  If  <jr63[r  mod  63]  =  0,  n  is  not  a  square  and  terminate  the  algorithm. 

3.  [Test  65]  If  <?65[r  mod  65]  =  0,  n  is  not  a  square  and  terminate  the  algorithm. 

4.  [Test  11]  If  gll[r  mod  11]  =  0,  n  is  not  a  square  and  terminate  the  algorithm. 

5.  [Compute  square  root]  Compute  q  <—  [y/n\  using  Algorithm  1.7.1.  If  n  ^  q2, 

n  is  not  a  square  and  terminate  the  algorithm.  Otherwise  n  is  a  square,  output 
q  and  terminate  the  algorithm. 

The  validity  of  this  algorithm  is  clear  since  if  n  is  a  square,  it  must  be  a 
square  modulo  k  for  any  k.  Let  us  explain  the  choice  of  the  moduli.  Note  first 
that  the  number  of  squares  modulo  64,63,65,11  is  12,16,21,6  respectively  (see 
Exercise  23).  Thus,  if  n  is  not  a  square,  the  probability  that  this  will  not  have 
been  detected  in  the  four  table  lookups  is  equal  to 

12  16  21  6  6 
64  63  6511  “  715 

and  this  is  less  than  one  percent.  Therefore,  the  actual  computation  of  the 
integer  square  root  in  step  5  will  rarely  be  done  when  n  is  not  a  square.  This 
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is  the  reason  for  the  choice  of  the  moduli.  The  order  in  which  the  tests  are 
done  comes  from  the  inequalities 

12  16  21  6 
64  <  63  <  65  <  11  ‘ 

If  one  is  not  afraid  to  spend  memory,  one  can  also  store  the  squares  modulo 
45045  =  63-65-11,  and  then  only  one  test  is  necessary  instead  of  three,  in 
addition  to  the  modulo  64  test. 

Of  course,  other  choices  of  moduli  are  possible  (see  [Nic]),  but  in  practice 
the  above  choice  works  well. 


1.7.3  Prime  Power  Detection 

The  last  problem  we  will  consider  in  this  section  is  that  of  determining  whether 
n  is  a  prime  power  or  not.  This  is  a  test  which  is  sometimes  needed,  for 
example  in  some  of  the  modern  factoring  algorithms  (see  Chapter  10).  We 
will  not  consider  the  problem  of  testing  whether  n  is  a  power  of  a  general 
number,  since  it  is  rarely  needed. 

The  idea  is  to  use  the  following  proposition. 

Proposition  1.7.4.  Let  n  =  pk  be  a  prime  power.  Then 

(1)  For  any  a  we  have  p  \  (an  —  a,n). 

(2)  If  k  >  2  and  p  >  2,  let  a  be  a  witness  to  the  compositeness  of  n  given  by 
the  Rabin-Miller  test  8.2.2,  i.e.  such  that  ( a,n )  =  1,  and  if  n  —  1  =  2 *q 
with  q  odd,  then  aq  =£  1  (mod  n)  and  for  all  e  such  that  0  <  e  <  t  —  1  then 
a2  q  ^  —1  (mod  n).  Then  ( an  —  a,n)  is  a  non-trivial  divisor  of  n  (i.e.  is 
different  from  1  and  n ). 


Proof.  By  Fermat’s  theorem,  we  have  an  =  a  (mod  p),  hence  (1)  is  clear.  Let 
us  prove  (2).  Let  a  be  a  witness  to  the  compositeness  of  n  as  defined  above. 
By  (1),  we  already  know  that  (an  —  a,  n)  >  1.  Assume  that  ( an  —  a,n)  =  n,  i.e. 
that  an  =  a  (mod  n).  Since  (a,n)  =  1  this  is  equivalent  to  an_1  =  1  (mod  n), 
i.e.  a2  9  =  1  (mod  n).  Let  /  be  the  smallest  non-negative  integer  such  that 
a2fq  =  1  (mod  n).  Thus  /  exists  and  f  <  t.  If  we  had  /  =  0,  this  would 
contradict  the  definition  of  a  witness  (a9  ^  1  (mod  n)).  So  /  >  0.  But  then 
we  can  write 

pk  |  (a2f~lq  -  1  ){a2f~lq  +  1) 

and  since  p  is  an  odd  prime,  this  implies  that  pk  divides  one  of  the  two  factors. 
But  pk  |  (a2/  9  —  1)  contradicts  the  minimality  of  /,  and  pk  |  (a2/  lq  -t-  1) 
contradicts  the  fact  that  a  is  a  witness  (we  cannot  have  a2'9  =  —  1  (mod  n) 
for  e  <  £),  hence  we  have  a  contradiction  in  every  case  thus  proving  the 
proposition.  □ 
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This  leads  to  the  following  algorithm. 

Algorithm  1.7.5  (Prime  Power  Test).  Given  a  positive  integer  n  >  1,  this 
algorithm  tests  whether  or  not  n  is  of  the  form  pk  with  p  prime,  and  if  it  is, 
outputs  the  prime  p. 

1.  [Case  n  even]  If  n  is  even,  set  p  <—  2  and  go  to  step  4.  Otherwise,  set  q  n. 

2.  [Apply  Rabin-Miller]  By  using  Algorithm  8.2.2  show  that  either  q  is  a  probable 
prime  or  exhibit  a  witness  a  to  the  compositeness  of  q.  If  q  is  a  probable  prime, 
set  p  <—  q  and  go  to  step  4. 

3.  [Compute  GCD]  Set  d  <—  ( aq  —  a,q).  If  d  =  1  or  d  =  q,  then  n  is  not  a  prime 
power  and  terminate  the  algorithm.  Otherwise  set  q  <—  d  and  go  to  step  2. 

4.  [Final  test]  (Here  p  is  a  divisor  of  n  which  is  almost  certainly  prime.)  Using 
a  primality  test  (see  Chapters  8  and  9)  prove  that  p  is  prime.  If  it  is  not  (an 
exceedingly  rare  occurence),  set  q  <—  p  and  go  to  step  2.  Otherwise,  by  dividing 
n  by  p  repeatedly,  check  whether  n  is  a  power  of  p  or  not.  If  it  is  not,  n  is  not 
a  prime  power,  otherwise  output  p.  Terminate  the  algorithm. 

We  have  been  a  little  sloppy  in  this  algorithm.  For  example  in  step  4, 
instead  of  repeatedly  dividing  by  p  we  could  use  a  binary  search  analogous 
to  the  binary  powering  algorithm.  We  leave  this  as  an  exercise  for  the  reader 
(Exercise  4). 


1.8  Exercises  for  Chapter  1 

1.  Write  a  bare-bones  multi-precision  package  as  explained  in  Section  1.1.2. 

2.  Improve  your  package  by  adding  a  squaring  operation  which  operates  faster  than 
multiplication,  and  based  on  the  identity  ( aX  +  b)2  =  a2X 2  +  b2  +  (( a  +  b)2  — 
a2  —  b2)X,  where  A  is  a  power  of  the  base.  Test  when  a  similar  method  applied 
to  multiplication  (see  Section  3.1.2)  becomes  faster  than  the  straightforward 
method. 

3.  Given  a  32-bit  non-negative  integer  x,  assume  that  we  want  to  compute  quickly 
the  highest  power  of  2  dividing  x  (32  if  x  =  0).  Denoting  by  e{x)  the  exponent 
of  this  power  of  2,  show  that  this  can  be  done  using  the  formula 

e(x)  =  t[(x"(x  —  1))  mod  37] 

where  t  is  a  suitable  table  of  37  values  indexed  from  0  to  36,  and  ab  denotes 
bitwise  exclusive  or  (addition  modulo  2  on  bits).  Show  also  that  37  is  the  least 
integer  having  this  property,  and  find  an  analogous  formula  for  64-bit  numbers. 

4.  Given  two  integers  n  and  p,  give  an  algorithm  which  uses  ideas  similar  to  the 
binary  powering  algorithm,  to  check  whether  n  is  a  power  of  p.  Also,  if  p  is 
known  to  be  prime,  show  that  one  can  use  only  repeated  squarings  followed  by 
a  final  divisibility  test. 
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5. 

6. 

7. 

8. 

9. 

10. 

11. 

12. 


13. 

14. 

15. 

16. 


17. 

18. 


Write  a  version  of  the  binary  GCD  algorithm  which  uses  ideas  of  Lehmer’s 
algorithm,  in  particular  keeping  information  about  the  low  order  words  and  the 
high  order  words.  Try  also  to  write  an  extended  version. 

Write  an  algorithm  which  computes  (u,v,d)  as  in  Algorithm  1.3.6,  by  storing 
the  partial  quotients  and  climbing  back.  Compare  the  speed  with  the  algorithms 
of  the  text. 

Prove  that  at  the  end  of  Algorithm  1.3.6,  one  has  vi  =  ±b/d  and  t/2  =  Ta/d, 
and  determine  the  sign  as  a  function  of  the  number  of  Euclidean  steps. 

Write  an  algorithm  for  finding  a  solution  to  the  system  of  congruences  x  =  xi 
(mod  mi)  and  x  =  X2  (mod  m2)  assuming  that  x\  =  X2  (mod  gcd(mi,m2)). 

Generalizing  Exercise  8  and  Algorithm  1.3.12,  write  a  general  algorithm  for 
finding  an  x  satisfying  Theorem  1.3.9. 

Show  that  the  use  of  Gauss’s  Algorithm  1.3.14  leads  to  a  slightly  different  algo¬ 
rithm  than  Cornacchia’s  Algorithm  1.5.2  for  solving  the  equation  x2  -f-  dy2  =  p 
(consider  a  =  (p,  0)  and  b  =  (xo,  Vd)). 

Show  how  to  modify  Lehmer’s  Algorithm  1.3.13  for  finding  the  continued  fraction 
expansion  of  a  real  number,  using  the  ideas  of  Algorithm  1.3.3,  so  as  to  avoid 
almost  all  multi-precision  operations. 

Using  Algorithm  1.3.13,  compute  at  least  30  partial  quotients  of  the  continued 
fraction  expansions  of  the  numbers  e,  e2,  e3,  e2^3  (you  will  need  some  kind  of 
multi-precision  to  do  this).  What  do  you  observe?  Experiment  with  number  of 
the  form  ea^b,  and  try  to  see  for  which  a/b  one  sees  a  pattern.  Then  try  and 
prove  it  (this  is  difficult.  It  is  advised  to  start  by  doing  a  good  bibliographic 
search) . 

Prove  that  if  n  =  nin2  with  m  and  n2  coprime,  then  (Z/nZ)*  ~  (Z/mZ)*  x 
(Z/n2Z)*.  Then  prove  Theorem  1.4.1. 

Show  that  when  a  >  2,  g  =  5  is  always  a  generator  of  the  cyclic  subgroup  of 
order  2“-2  of  (Z/2“Z)*. 

Prove  Proposition  1.4.6. 

Give  a  proof  of  Theorem  1.4.7  (2)  along  the  following  lines  (read  Chapter  4  first 
if  you  are  not  familiar  with  number  fields).  Let  p  and  q  be  distinct  odd  primes. 
Set  C  =  e2i*/p,  R  =  Z[C]  and 


r 


a)  Show  that  r(p)2  =  (— l)^p-1^2p  and  that  r(p)  is  invertible  in  R/qR. 

b)  Show  that  r(p)q  =  (^)r(p)  (mod  qR). 

c)  Prove  Theorem  1.4.7  (2),  and  modify  the  above  arguments  so  as  to  prove 
Theorem  1.4.7  (1). 

Prove  Theorem  1.4.9  and  Lemma  1.4.11. 

Let  p  be  an  odd  prime  and  n  and  integer  prime  to  p.  Then  multiplication  by  n 
induces  a  permutation  7 n  of  the  finite  set  (Z/pZ)*.  Show  that  the  signature  of 
this  permutation  is  equal  to  the  Legendre  symbol  (^) .  Deduce  from  this  another 
proof  of  the  quadratic  reciprocity  law  (Theorem  1.4.7). 
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19.  Generalizing  Lemma  1.4.11,  show  the  following  general  reciprocity  law:  if  a  and 
b  are  non-zero  and  a  =  2aai  (resp.  b  =  2^bi)  with  ai  and  b\  odd,  then 

=  (— ij(°i-1)(bl-1)/4+(si6n(ai)_1)(sisn(bi)-1)/4  ^ 

20.  Implement  the  modification  suggested  after  Algorithm  1.4.10  (i.e.  taking  the 
smallest  residue  in  absolute  value  instead  of  the  smallest  non-negative  one)  and 
compare  its  speed  with  that  of  the  unmodified  algorithm. 

21.  Using  the  quadratic  reciprocity  law,  find  the  number  of  solutions  of  the  congru¬ 
ence  a;3  =  1  (mod  p).  Deduce  from  this  the  number  of  cubic  residues  mod  p,  i.e. 
numbers  a  not  divisible  by  p  such  that  the  congruence  x3  =  a  (mod  p)  has  a 
solution. 

22.  Show  that  an  integer  n  is  a  square  if  and  only  if  =  1  for  every  prime  p  not 
dividing  n. 

23.  Given  a  modulus  m,  give  an  exact  formula  for  s(m),  the  number  of  squares 
modulo  m,  in  other  words  the  cardinality  of  the  image  of  the  squaring  map  from 
Z/mZ  into  itself.  Apply  your  formula  to  the  special  case  m  =  64,  63,65, 11. 

24.  Show  that  the  running  time  of  Algorithm  1.4.10  modified  by  keeping  b  odd,  may 
be  exponential  time  for  some  inputs. 

25.  Modify  Algorithm  1.5.1  so  that  in  addition  to  computing  x,  it  also  computes 
the  (even)  exponent  k  such  that  aqzk  =  1  in  G,  using  the  notations  of  the  text. 

26.  Give  an  algorithm  analogous  to  Shanks’s  Algorithm  1.5.1,  to  find  the  cube  roots 
of  a  mod  p  when  a  is  a  cubic  residue.  It  may  be  useful  to  consider  separately 
the  cases  p  =  2  (mod  3)  and  p=  1  (mod  3) . 

27.  Given  a  prime  number  p  and  a  quadratic  non-residue  a  mod  p,  we  can  consider 
K  =  Fp2  =  Fp(i/a).  Explain  how  to  do  the  usual  arithmetic  operations  in  K. 


Give  an  algorithm  for  computing  square  roots  in  K,  assuming  that  the  result  is 


in  K. 


28.  Generalizing  Exercise  27,  give  an  algorithm  for  computing  cube  roots  in  Fp2 ,  and 
give  also  an  algorithm  for  computing  roots  of  equations  of  degree  3  by  Cardano’s 
formulas  (see  Exercise  28  of  Chapter  3). 


29.  Show  that,  as  claimed  in  the  proof  of  Algorithm  1.5.1,  steps  3  and  4  will  require 
in  average  e2/4  and  at  most  e2  multiplications  modulo  p. 


30.  Let  m  =  pep  be  any  positive  integer  for  which  we  know  the  complete  factor¬ 
ization  into  primes,  and  let  a  €  Z. 

a)  Give  a  necessary  and  sufficient  condition  for  a  to  be  congruent  to  a  square 
modulo  m,  using  several  Legendre  symbols. 

b)  Give  a  closed  formula  for  the  number  of  solutions  of  the  congruence 
x2  =  a  (mod  m). 

c)  Using  Shanks’s  Algorithm  1.5.1  as  a  sub-algorithm,  write  an  algorithm 
for  computing  a  solution  to  x2  =  a  (mod  m)  if  a  solution  exists  (you  should 
take  care  to  handle  separately  the  power  of  2  dividing  m). 


31.  Implement  Algorithm  1.6.1  with  and  without  the  variant  explained  in  Remark 
(3)  following  the  algorithm,  as  well  as  the  systematic  trial  of  X  =  0, . . .,  p  —  1, 
and  compare  the  speed  of  these  three  algorithms  for  different  values  of  p  and 
deg(P)  or  deg(A). 
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32.  By  imitating  Newton’s  method  once  again,  design  an  algorithm  for  computing 
integer  cube  roots  which  works  only  with  integers. 

33.  Show  that,  as  claimed  in  the  text,  the  average  number  of  multiplications 
which  are  not  squarings  in  the  flexible  left-right  base  2k  algorithm  is  ap¬ 
proximately  2fc-1  +  lg  |n|/(fc+l),  and  that  the  optimal  value  of  k  is  the 
smallest  integer  such  that  lg  |n|<  (fc  +  l)(fc+2)2fc_1. 

34.  Consider  the  following  modification  to  Algorithm  1.2. 4. 2.  We  choose  some 

odd  number  L  such  that  2 k~1<L<  2K  and  precompute  only  z,  z . . . ,  . 

Show  that  one  can  write  any  integer  N  in  a  unique  way  as  N  =  2to(ao  + 
2tl(a,i  +  . . .  +  2teae))  with  a*  odd,  a,i<  L,  and  ti  >  k  —  1  for  i  >  1,  but  t*  = 
k  —  1  only  if  a,i>L  —  2fc_1.  Analyze  the  resulting  algorithm  and  show 
that,  in  certain  cases,  it  is  slightly  faster  than  Algorithm  1.2. 4. 2. 

(page  11) - 

Perhaps  surprisingly,  we  can  easily  improve  on  Algorithm  1.2.4  by  using  a  flex¬ 
ible  window  of  size  at  least  k  bits,  instead  of  using  a  window  of  fixed  size  k.  Indeed, 
it  is  easy  to  see  that  any  positive  integer  TV  can  be  written  in  a  unique  way  as 

TV  =  2to  (ao  +  2fl  (&i  +  *  *  •  +  2 ieae)) 

where  tt  >  k  for  i  >  1  and  the  at  are  odd  integers  such  that  1  <  at  <  2fc  —  1  (in 
Algorithm  1.2.4  we  took  t0  =  0,  t%  =  k  for  i  >  1,  and  0  <  a%  <  2k  —  1  odd  or  even). 

As  before,  we  can  precompute  #3,  <?5,  ...  ,  g2  -1  and  then  compute  gN  by  suc¬ 
cessive  squarings  and  multiplications  by  ga% .  To  find  the  a%  and  we  use  the 
following  immediate  sub-algorithm. 

Sub- Algorithm  1.2.4. 1  (Flexible  Base  2k  Digits).  Given  a  positive  integer  TV  and 
k  >  1,  this  sub-algorithm  computes  the  unique  integers  t%  and  defined  above.  We 
use  [N]^a  to  denote  the  integer  obtained  by  extracting  bits  a  through  b  (inclusive)  of 
TV,  where  bit  0  is  the  least  significant  bit. 

1.  [Compute  t0]  Let  t0«— ^(TV),  0  and  10. 

2.  [Compute  ae\  Let  ae  <-  [TV]s+fc_i?s. 

3.  [Compute  te]  Set  [TVJoo^+fc.  If  ra  =  0,  terminate  the  sub-algorithm.  Other¬ 
wise,  set  e  <—  e  +  1,  te  <—  V2 (m)  +  k,  s  <—  s  +  te  and  go  to  step  2. 

The  flexible  window  algorithm  is  then  as  follows. 

Algorithm  1.2. 4. 2  (Flexible  Left-Right  Base  2k).  Given  g  E  G  and  n  E  Z,  this 
algorithm  computes  gn  in  G.  We  write  1  for  the  unit  element  of  G. 

1.  [Initialize]  If  n  =  0,  output  1  and  terminate.  If  n  <  0  set  N  < - n  and  ^  g~l . 

Otherwise,  set  TV  n  and  z  ^  g. 

2.  [Compute  the  at  and  t%]  Using  the  above  sub-algorithm,  compute  at,  t%  and  e  such 
that  TV  =  2t{) ( Cl q  T  2^1  y.i\  T  •  •  •  T  2^e  o,e ) )  and  set  f  4 —  c . 

3.  [Precomputations]  Compute  and  store  z3,  z5,  ...  ,  z 2fe_1. 

4.  [Loop]  If  f=e  set  y^zaf  otherwise  set  y^zaf-y.  Then  repeat  tf  times 

y  <-  y-  y- 

5.  [Finished?]  If  /  =  0,  output  y  and  terminate  the  algorithm.  Otherwise,  set 
/ «—  /  —  1  and  go  to  step  4. 

We  have  used  above  the  word  “surprisingly”  to  describe  the  behavior  of  this 
algorithm.  Indeed,  it  is  not  a  priori  clear  why  it  should  be  any  better  than  Algorithm 
1.2.4.  An  easy  analysis  shows,  however,  that  the  average  number  of  multiplications 
which  are  not  squarings  is  now  of  the  order  of  2k~l  +  lg|n|/(fc  +  1)  (instead  of 
2fc_1  +  lg  \n\/k  in  Algorithm  1.2.4),  see  Exercise  33.  The  optimal  value  of  k  is  the 
smallest  integer  satisfying  the  inequality  lg  |n|  <  (k  +  1  )(k  +  2)2fc_1. 

In  the  above  example  where  n  has  100  decimal  digits,  the  flexible  base  25  algo¬ 
rithm  takes  on  average  (3/4)332  +  16  +  332/6  ~  320  multiplications,  another  3% 
improvement.  In  fact,  using  a  simple  modification,  in  certain  cases  we  can  still 
easily  improve  (very  slightly)  on  Algorithm  1.2. 4. 2,  see  Exercise  34. 


Chapter  2 

Algorithms  for  Linear  Algebra  and  Lattices 


2.1  Introduction 

In  many  algorithms,  and  in  particular  in  number-theoretic  ones,  it  is  necessary 
to  use  algorithms  to  solve  common  problems  of  linear  algebra.  For  example, 
solving  a  linear  system  of  equations  is  such  a  problem.  Apart  from  stability 
considerations,  such  problems  and  algorithms  can  be  solved  by  a  single  algo¬ 
rithm  independently  of  the  base  field  (or  more  generally  of  the  base  ring  if  we 
work  with  modules).  Those  algorithms  will  naturally  be  called  linear  algebra 
algorithms. 

On  the  other  hand,  many  algorithms  of  the  same  general  kind  specifically 
deal  with  problems  based  on  specific  properties  of  the  base  ring.  For  example, 
if  the  base  ring  is  Z  (or  more  generally  any  Euclidean  domain),  and  if  L  is 
a  submodule  of  rank  n  of  Zn,  then  Z n /L  is  a  finite  Abelian  group,  and  we 
may  want  to  know  its  structure  once  a  generating  system  of  elements  of  L 
is  known.  This  kind  of  problem  can  loosely  be  called  an  arithmetic  linear 
algebra  problem.  Such  problems  are  trivial  if  Z  is  replaced  by  a  field  K.  (In 
our  example  we  would  have  L  =  Kn  hence  the  quotient  group  would  always 
be  trivial.)  In  fact  we  will  see  that  a  submodule  of  Zn  is  called  a  lattice ,  and 
that  essentially  all  arithmetic  linear  algebra  problems  deal  with  lattices,  so  we 
will  use  the  term  lattice  algorithms  to  describe  the  kind  of  algorithms  that  are 
used  for  solving  arithmetic  linear  algebra  problems. 

This  chapter  is  therefore  divided  into  two  parts.  In  the  first  part,  we  give 
algorithms  for  solving  the  most  common  linear  algebra  problems.  It  must  be 
emphasized  that  the  goal  will  be  to  give  general  algorithms  valid  over  any 
field,  but  that  in  the  case  of  imprecise  fields  such  as  the  field  of  real  numbers, 
care  must  be  taken  to  insure  stability.  This  becomes  an  important  problem 
of  numerical  analysis,  and  we  refer  the  reader  to  the  many  excellent  books 
on  the  subject  ([Gol-Van],  [PFTV]).  Apart  from  mentioning  the  difficulties, 
given  the  spirit  of  this  book  we  will  not  dwell  on  this  aspect  of  linear  algebra. 

In  the  second  part,  we  recall  the  definitions  and  properties  of  lattices. 
We  will  assume  that  the  base  ring  is  Z,  but  essentially  everything  carries 
over  to  the  case  where  the  base  ring  is  a  principal  ideal  domain  (PID),  for 
example  K[X],  where  AT  is  a  field.  Then  we  describe  algorithms  for  lattices.  In 
particular  we  discuss  in  great  detail  the  LLL  algorithm  which  is  of  fundamental 
importance,  and  give  a  number  of  applications. 
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2.2  Linear  Algebra  Algorithms  on  Square  Matrices 

2.2.1  Generalities  on  Linear  Algebra  Algorithms 

Let  K  be  a  field.  Linear  algebra  over  K  is  the  study  of  if- vector  spaces  and  K- 
linear  maps  between  them.  We  will  always  assume  that  the  vector  spaces  that 
we  use  are  finite-dimensional.  Of  course,  infinite-dimensional  vector  spaces 
arise  naturally,  for  example  the  space  K[X]  of  polynomials  in  one  variable 
over  K.  Usually,  however  when  one  needs  to  perform  linear  algebra  on  these 
spaces  it  is  almost  always  on  finite-dimensional  subspaces. 

A  if -vector  space  V  is  an  abstract  object,  but  in  practice,  we  will  assume 
that  V  is  given  by  a  basis  of  n  linearly  independent  vectors  iq ,  . . .  vn  in  some 
ifm  (where  m  is  greater  or  equal,  but  not  necessarily  equal  to  n).  This  is  of 
course  highly  non-canonical,  but  we  can  always  reduce  to  that  situation. 

Since  Km  has  by  definition  a  canonical  basis,  we  can  consider  V  as  being 
given  by  an  m  x  n  matrix  M(V )  (i.e.  a  matrix  with  m  rows  and  n  columns) 
such  that  the  columns  of  M(V)  represent  the  coordinates  in  the  canonical 
basis  of  Km  of  the  vectors  V{.  If  n  =  m,  the  linear  independence  of  the  Vi 
means,  of  course,  that  M(V)  is  an  invertible  matrix.  (The  notation  M(V)  is 
slightly  improper  since  M(V)  is  attached,  not  to  the  vector  space  V,  but  to 
the  chosen  basis  u*.) 

Note  that  changing  bases  in  V  is  equivalent  to  multiplying  M(V)  on  the 
right  by  an  invertible  n  x  n  matrix.  In  particular,  we  may  want  the  matrix 
M(V)  to  satisfy  certain  properties,  for  example  being  in  upper  triangular 
form.  We  will  see  below  (Algorithm  2.3.11)  how  to  do  this. 

A  linear  map  /  between  two  vector  spaces  V  and  W  of  respective  dimen¬ 
sions  n  and  m  will  in  practice  be  represented  by  an  m  x  n  matrix  M(f),  M(f) 
being  the  matrix  of  the  map  /  with  respect  to  the  bases  M(V)  and  M(W)  of 
V  and  W  respectively.  In  other  words,  the  j-th  column  of  M(f )  represents  the 
coordinates  of  f(vj)  in  the  basis  Wi,  where  the  Vj  correspond  to  the  columns 
of  M(V),  and  the  Wi  to  the  columns  of  M{W). 

Note  that  in  the  above  we  use  column-representation  of  vectors  and  not 
row-representation;  this  is  quite  arbitrary,  but  corresponds  to  traditional  us¬ 
age.  Once  a  choice  is  made  however,  one  must  consistently  stick  with  it. 

Thus,  the  objects  with  which  we  will  have  to  work  with  in  performing  linear 
algebra  operations  are  matrices  and  (row  or  column)  vectors.  This  is  only  for 
practical  purposes,  but  keep  in  mind  that  it  rarely  corresponds  to  anything 
canonical.  The  internal  representation  of  vectors  is  completely  straightforward 
(i.e.  as  a  linear  array). 

For  matrices,  essentially  three  equivalent  kinds  of  representation  are  pos¬ 
sible.  The  particular  one  which  should  be  chosen  depends  on  the  language  in 
which  the  algorithms  will  be  implemented.  For  example,  it  will  not  be  the 
same  in  Fortran  and  in  C. 

One  representation  is  to  consider  matrices  as  (row)  vectors  of  (column) 
vectors.  (We  could  also  consider  them  as  column  vectors  of  row  vectors  but 
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the  former  is  preferable  since  we  have  chosen  to  represent  vectors  mainly 
in  column-representation.)  A  second  method  is  to  represent  matrices  as  two- 
dimensional  arrays.  Finally,  we  can  also  represent  matrices  as  one-dimensional 
arrays,  by  adding  suitable  macro-definitions  so  as  to  be  able  to  access  individ¬ 
ual  elements  by  row  and  column  indices. 

Whatever  representation  is  chosen,  we  must  also  choose  the  index  num¬ 
bering  for  rows  and  columns.  Although  many  languages  such  as  C  take  0  as 
the  starting  index,  for  consistency  with  usual  mathematical  notation  we  will 
assume  that  the  first  index  for  vectors  or  for  rows  and  columns  of  matri¬ 
ces  is  always  taken  to  be  equal  to  1.  This  is  not  meant  to  suggest  that  one 
should  use  this  in  a  particular  implementation,  it  is  simply  for  elegance  of 
exposition.  In  any  given  implementation,  it  may  be  preferable  to  make  the 
necessary  trivial  changes  so  as  to  use  0  as  the  starting  index.  Again,  this  is  a 
language-dependent  issue. 


2.2.2  Gaussian  Elimination  and  Solving  Linear  Systems 

The  basic  operation  which  is  used  in  linear  algebra  algorithms  is  that  of  Gaus¬ 
sian  elimination ,  sometimes  also  known  as  Gaussian  pivoting.  This  consists 
in  replacing  a  column  (resp.  a  row)  C  by  some  linear  combination  of  all  the 
columns  (resp.  rows)  where  the  coefficient  of  C  must  be  non-zero,  so  that  (for 
example)  some  coefficient  becomes  equal  to  zero.  Another  operation  is  that  of 
exchanging  two  columns  (resp.  rows).  Together,  these  two  basic  types  of  oper¬ 
ations  (which  we  will  call  elementary  operations  on  columns  or  rows)  will  allow 
us  to  perform  all  the  tasks  that  we  will  need  in  linear  algebra.  Note  that  they 
do  not  change  the  vector  space  spanned  by  the  columns  (resp.  rows).  Also,  in 
matrix  terms,  performing  a  series  of  elementary  operations  on  columns  (resp. 
rows)  is  equivalent  to  right  (resp.  left)  multiplication  by  an  invertible  square 
matrix  of  the  appropriate  size.  Conversely,  one  can  show  (see  Exercise  1)  that 
an  invertible  square  matrix  is  equal  to  a  product  of  matrices  corresponding  to 
elementary  operations. 

The  linear  algebra  algorithms  that  we  give  are  simply  adaptations  of  these 
basic  principles  to  the  specific  problems  that  we  must  solve,  but  the  underlying 
strategy  is  always  the  same,  i.e.  reduce  a  matrix  to  some  simpler  form  (i.e.  with 
many  zeros  at  suitable  places)  so  that  the  problem  can  be  solved  very  simply. 
The  proofs  of  the  algorithms  are  usually  completely  straightforward,  hence  will 
be  given  only  when  really  necessary.  We  will  systematically  use  the  following 
notation:  if  M  is  a  matrix,  Mj  denotes  its  j-th.  column,  M[  its  i-th  row,  and 
the  entry  at  row  i  and  column  j.  If  £  is  a  (column  or  row)  vector,  6*  will 
denote  its  i-th  coordinate. 

Perhaps  the  best  way  to  see  Gaussian  elimination  in  action  is  in  solving 
square  linear  systems  of  equations. 

Algorithm  2.2.1  (Square  Linear  System).  Let  M  be  an  n  x  n  matrix  and  B 
a  column  vector.  This  algorithm  either  outputs  a  message  saying  that  M  is  not 
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invertible,  or  outputs  a  column  vector  X  such  that  MX  =  B.  We  use  an  auxiliary 
column  vector  C. 

1.  [Initialize]  Set  j  <—  0. 

2.  [Finished?]  Let  j  <—  j  4-1.  If  j  >  n  go  to  step  6. 

3.  [Find  non-zero  entry]  If  m^j  =  0  for  all  i  >  j,  output  a  message  saying  that 
M  is  not  invertible  and  terminate  the  algorithm.  Otherwise,  let  i  >  j  be  some 
index  such  that  m^j  ±  0. 

4.  [Swap?]  If  i  >  j,  for  Z  =  j, . . . ,  n  exchange  m^i  and  mjj,  and  exchange  6*  and 
bj. 

5.  [Eliminate]  (Here  mjyj  ±  0.)  Set  d  <-  mjj  and  for  all  k  >  j  set  ck  <-  dmk>j. 
Then,  for  all  k  >  j  and  l  >  j  set  mk)i  <—  mkj  —  ckm,jj.  (Note  that  we  do  not 
need  to  compute  this  for  l  —  j  since  it  is  equal  to  zero.)  Finally,  for  k  >  j  set 
bk  <—  bk  -  ckbj  and  go  to  step  2. 

6.  [Solve  triangular  system]  (Here  M  is  an  upper  triangular  matrix.)  For  i  = 

n,n  —  1, . . . ,  1  (in  that  order)  set  <-  (6*  -  outPut 

X  =  (xi)i<i<n  and  terminate  the  algorithm. 

Note  that  steps  4  and  5  (the  swap  and  elimination  operations)  are  really 
row  operations,  but  we  have  written  them  as  working  on  entries  since  it  is  not 
necessary  to  take  into  account  the  first  j  —  l  columns. 

Note  also  in  step  5  that  we  start  by  computing  the  inverse  of  rrijj  since 
in  fields  like  Fp  division  is  usually  much  more  time-consuming  than  multipli¬ 
cation. 

The  number  of  necessary  multiplications/divisions  in  this  algorithm  is 
clearly  asymptotic  to  n3/ 3  in  the  general  case.  Note  however  that  this  does 
not  represent  the  true  complexity  of  the  algorithm,  which  should  be  counted 
in  bit  operations.  This  of  course  depends  on  the  base  field  (see  Section  1.1.3). 
This  remark  also  applies  to  all  the  other  linear  algebra  algorithms  given  in 
this  chapter. 

Inverting  a  square  matrix  M  means  solving  the  linear  systems  MX  =  Ei , 
where  the  Ei  are  the  canonical  basis  vectors  of  Kn,  hence  one  can  achieve 
this  by  successive  applications  of  Algorithm  2.2.1.  Clearly,  it  is  a  waste  of 
time  to  use  Gaussian  elimination  on  the  matrix  for  each  linear  system.  (More 
generally,  this  is  true  when  we  must  solve  several  linear  systems  with  the  same 
matrix  M  but  different  right  hand  sides  B.)  We  should  compute  the  inverse 
of  M,  and  then  the  solution  of  a  linear  system  requires  only  a  simple  matrix 
times  vector  multiplication  requiring  n2  field  multiplications. 

To  obtain  the  inverse  of  M,  only  a  slight  modification  of  Algorithm  2.2.1 
is  necessary. 

Algorithm  2.2.2  (Inverse  of  a  Matrix).  Let  M  be  an  n  x  n  matrix.  This 
algorithm  either  outputs  a  message  saying  that  M  is  not  invertible,  or  outputs 
the  inverse  of  M.  We  use  an  auxiliary  column  vector  C  and  we  recall  that  B [ 
(resp.  X!)  denotes  the  i-th  row  of  B  (resp.  X). 
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1.  [Initialize]  Set  j  <—  0,  B  <—  In,  where  In  is  the  nx  n  identity  matrix. 

2.  [Finished?]  Let  j  *—  j  4-1.  If  j  >  n,  go  to  step  6. 

3.  [Find  non-zero  entry]  If  mitj  =  0  for  all  i  >  j,  output  a  message  saying  that 
M  is  not  invertible  and  terminate  the  algorithm.  Otherwise,  let  i  >  j  be  some 
index  such  that  rriij  ^  0. 

4.  [Swap?]  If  *  >  j,  for  l  =  j, . . .  ,n  exchange  m^i  and  rrijj,  and  exchange  the 
rows  B[  and  R'. 

5.  [Eliminate]  (Here  rrijj  7^  0.)  Set  d  <—  m~j  and  for  all  k  >  j  set  Cfc  <—  dnikj- 
Then  for  all  k  >  j  and  l  >  j  set  mk<i  <—  mkti  —  ckmjj.  (Note  that  we  do  not 
need  to  compute  this  for  l  =  j  since  it  is  equal  to  zero.)  Finally,  for  all  k  >  j 
set  B'k  <r-  Bk-  CkBj  and  go  to  step  2. 

6.  [Solve  triangular  system]  (Here  M  is  an  upper  triangular  matrix.)  For  i  = 

n,n  -  1, . . . ,  1  (in  that  order)  set  X[  <-  (B[  -  Ei<j<n  output 

the  matrix  X  and  terminate  the  algorithm. 

It  is  easy  to  check  that  the  number  of  multiplications/divisions  needed  is 
asymptotic  to  4n3/3  in  the  general  case.  This  is  only  four  times  longer  than  the 
number  required  for  solving  a  single  linear  system.  Thus  as  soon  as  more  than 
four  linear  systems  with  the  same  matrix  need  to  be  solved,  it  is  worthwhile 
to  compute  the  inverse  matrix. 

Remarks. 

(1)  In  step  1  of  the  algorithm,  the  matrix  B  is  initialized  to  In.  If  instead,  we 
initialize  B  to  be  any  nx  m  matrix  N  for  any  m,  the  result  is  the  matrix 
M~XN,  and  this  is  of  course  faster  than  computing  M-1  and  then  the 
matrix  product.  The  case  m  =  1  is  exactly  Algorithm  2.2.1. 

(2)  Instead  of  explicitly  computing  the  inverse  of  M,  it  is  worthwhile  for  many 
applications  to  put  M  in  LU P  form  ,  i.e.  to  find  a  lower  triangular  matrix 
L  and  an  upper  triangular  matrix  U  such  that  M  =  LUP  for  some  per¬ 
mutation  matrix  P.  (Recall  that  a  permutation  matrix  is  a  square  matrix 
whose  elements  are  only  0  or  1  such  that  each  row  and  column  has  exactly 
one  1.)  Exercise  3  shows  how  this  can  be  done.  Once  M  is  in  this  form, 
solving  linear  systems,  inverting  M,  computing  det(M),  etc  ...  is  much 
simpler  (see  [AHU]  and  [PFTV]). 


2.2.3  Computing  Determinants 

To  compute  determinants,  we  can  simply  use  Gaussian  elimination  as  in  Al¬ 
gorithm  2.2.1.  Since  the  final  matrix  is  triangular,  the  determinant  is  trivial 
to  compute.  This  gives  the  following  algorithm. 

Algorithm  2.2.3  (Determinant,  Using  Ordinary  Elimination).  Let  M  be  an 
nxn  matrix.  This  algorithm  outputs  the  determinant  of  M.  We  use  an  auxiliary 
column  vector  C. 
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1.  [Initialize]  Set  j  <—  0,  x  <—  1. 

2.  [Finished?]  Let  j  <—  j  +  1.  If  j  >  n  output  x  and  terminate  the  algorithm. 

3.  [Find  non-zero  entry]  If  m^j  =  0  for  all  i  >  j,  output  0  and  terminate  the 
algorithm.  Otherwise,  let  i  >  j  be  some  index  such  that  niij  ^  0. 

4.  [Swap?]  If  i  >  j,  for  l  =  j, . . . ,  n  exchange  miyi  and  rrijj,  and  set  x  < - x. 

5.  [Eliminate]  (Here  rrijj  ±  0.)  Set  d  <—  mjj  and  for  all  k  >  j  set  Cfc  <—  drrikj. 
Then  for  all  k  >  j  and  l  >  j  set  mk,i  <—  rrik}i  —  Ckrrijj.  (Note  that  we  do  not 
need  to  compute  this  for  l  =  j  since  it  is  equal  to  zero.)  Finally,  set  x  <—  x-rrijj 
and  go  to  step  2. 

The  number  of  multiplications/divisions  needed  in  this  algorithm  is  clearly 
of  the  same  order  as  Algorithm  2.2.1,  i.e.  asymptotic  to  n3/ 3  in  general. 

Very  often,  this  algorithm  will  be  used  in  the  case  where  the  matrix  M 
has  entries  in  Z  or  some  polynomial  ring.  In  this  case,  the  elimination  step 
will  introduce  denominators,  and  these  have  a  tendency  to  get  very  large. 
Furthermore,  the  coefficients  of  the  intermediate  matrices  will  be  in  Q  (or  some 
rational  function  field) ,  and  hence  large  GCD  computations  will  be  necessary 
which  will  slow  down  the  algorithm  even  more.  All  this  is  of  course  valid  for 
the  other  straightforward  elimination  algorithms  that  we  have  seen. 

On  the  other  hand,  if  the  base  field  is  a  finite  field  ¥q,  we  do  not  have 
such  problems.  If  the  base  field  is  inexact,  like  the  real  or  complex  numbers  or 
the  p-adic  numbers,  care  must  be  taken  for  numerical  stability.  For  example, 
numerical  analysis  books  advise  taking  the  largest  non-zero  entry  (in  absolute 
value)  and  not  the  first  non-zero  one  found.  We  refer  to  [Gol-Van],  [PFTV] 
for  more  details  on  these  stability  problems. 

To  overcome  the  problems  that  we  encounter  when  the  matrix  M  has 
integer  coefficients,  several  methods  can  be  used  (and  similarly  when  M  has 
coefficients  in  a  polynomial  ring).  The  first  method  is  to  compute  det(M)  mod¬ 
ulo  sufficiently  many  primes  (using  Algorithm  2.2.3  which  is  efficient  here), 
and  then  use  the  Chinese  remainder  Theorem  1.3.9  to  obtain  the  exact  value 
of  det(M).  This  can  be  done  as  soon  as  we  know  an  a  priori  upper  bound 
for  |  det(M)|.  (We  then  simply  choose  sufficiently  many  primes  pi  so  that  the 
product  of  the  Pi  is  greater  than  twice  the  upper  bound.)  Such  an  upper  bound 
is  given  by  Hadamard’s  inequality  which  we  will  prove  below  (Corollary  2.5.5; 
note  that  this  corollary  is  proved  in  the  context  of  real  matrices,  i.e.  Euclidean 
vector  spaces,  but  its  proof  is  identical  for  Hermitian  vector  spaces). 

Proposition  2.2.4  (Hadamard’s  Inequality).  If  M  =  {fnij)\<i,j<n  is  a 
square  matrix  with  complex  coefficients,  then 


|det(M)|<  [J 

1  <i<n 


1/2 
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This  method  for  computing  determinants  can  be  much  faster  than  a  di¬ 
rect  computation  using  Algorithm  2.2.3,  but  will  be  slower  when  the  number 
of  primes  needed  for  the  Chinese  remainder  theorem  is  large.  This  happens 
because  the  size  of  the  Hadamard  bound  is  often  far  from  ideal. 

Another  method  is  based  on  the  following  easily  proved  proposition  due 
to  Dodgson  (alias  Lewis  Caroll),  which  is  a  special  case  of  a  general  theorem 
due  to  Bareiss  [Bar]. 


Proposition  2.2.5.  Let  Mq  =  {o>itj)i<i,j<n  be  an  n  x  n  matrix  where  the 
coefficients  are  considered  as  independent  variables.  Set  Co  =  1  and  for  1  < 
k  <n,  define  recursively 


a{k) 


Cfc-l 


a 


a 


(fc-i)  (fc-i) 
fc,fc  ak,j 
(fc-i)  Jfc-i) 
i,fc 


a 


hj 


( L \ 

=  )fc+l<z,7<n 


and 


cfc  —  & 


(fc-1) 

fc,fc 


Finally,  let  cn  =  a^n  ^ .  Then  all  the  divisions  by  c^-i  are  exact;  we  have 
det(Mfc)  =  cl~k~l  det(Mo),  and  in  particular  det(Mo)  =  Cn. 

Proof  (Sketch).  Going  from  Mk-i  to  is  essentially  Gaussian  elimination, 
except  that  the  denominators  are  removed.  This  shows  that 

det(Mfc)  =  °kn_k  det(Mfc-i) 
ck- 1 

thus  proving  the  formula  for  det(Mfc)  by  induction. 

That  all  the  divisions  by  c^-i  are  exact  comes  from  the  easily  checked  fact 
that  we  can  explicitly  write  the  coefficients  as  (k  +  l)x(k  +  l)  minors  of 
the  matrix  Mo  (see  Exercise  5).  □ 

We  have  stated  this  proposition  with  matrices  having  coefficients  consid¬ 
ered  as  independent  variables.  For  more  special  rings,  some  Cfc  may  vanish, 
in  which  case  one  must  exchange  rows  or  columns,  as  in  Algorithm  2.2.3, 
and  keep  track  of  the  sign  changes.  This  leads  to  the  following  method  for 
computing  determinants. 

Algorithm  2.2.6  (Determinant  Using  Gauss-Bareiss).  Given  an  n  x  n  ma¬ 
trix  M  with  coefficients  in  an  integral  domain  7 Z,  this  algorithm  computes  the 
determinant  of  M.  All  the  intermediate  results  are  in  1Z. 

1.  [Initialize]  Set  k  +—  0,  c  <—  1,  s  <—  1. 

2.  [Increase  k]  Set  k  <—  fc+1.  If  k  =  n  output  sm„in  and  terminate  the  algorithm. 
Otherwise,  set  p  <—  mk,k- 

3.  [Is  p  =  0?]  If  p  ^  0  go  to  step  4.  Otherwise,  look  for  the  first  non-zero 
coefficient  in  the  A;-th  column,  with  k  +  l  <  i  <n.  If  no  such  coefficient 
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exists,  output  0  and  terminate  the  algorithm.  If  it  does,  for  j=  k, . .  .,n  ex¬ 
change  rriij  and  rrik,j,  then  set  s  < - s  and  p  *—  mk,k- 

4.  [Main  step]  ( p  is  now  non-zero.)  For  i  =  k  +  1, . .  .  ,n  and  j  =  k  +1, . . .,  n  set 
t  <—  prriij  —  m^kTnkj,  then  m^j  +—  t/c  where  the  division  is  exact.  Then  set 
c  < —  p  and  go  to  step  2. 

Although  this  algorithm  is  particularly  well  suited  to  the  computation  of 
determinants  when  the  matrix  M  has  integer  (or  similar  type)  entries,  it  can 
of  course,  be  used  in  general.  There  is  however  a  subtlety  which  must  be  taken 
into  account  when  dealing  with  inexact  entries. 

Assume  for  example  that  the  coefficients  of  M  are  polynomials  with  real 
coefficients.  These  in  general  will  be  imprecise.  Then  in  step  4,  the  division 
t/c  will,  in  general,  not  give  a  polynomial,  but  rather  a  rational  function.  This 
is  because  when  we  perform  the  Euclidean  division  of  t  by  c,  there  may  be 
a  very  small  but  non-zero  remainder.  In  this  case,  when  implementing  the 
algorithm,  it  is  essential  to  compute  t/c  using  Euclidean  division,  and  discard 
the  remainder,  if  any. 

The  number  of  necessary  multiplications/ divisions  in  this  modified  algo¬ 
rithm  is  asymptotic  to  n3  instead  of  n3/ 3  in  Algorithm  2.2.3,  but  using  Gauss- 
Bareiss  considerably  improves  on  the  time  needed  for  the  basic  multiplications 
and  divisions  and  this  usually  more  than  compensates  for  the  factor  of  3. 

Finally,  note  that  although  we  have  explained  the  Gauss-Bareiss  method 
for  computing  determinants,  it  can  usually  be  applied  to  any  other  algorithmic 
problem  using  Gaussian  elimination,  where  the  coefficients  are  integers  (see 
Exercise  6). 


2.2.4  Computing  the  Characteristic  Polynomial 

Recall  that  if  M  is  an  n  x  n  square  matrix,  the  characteristic  polynomial  of 
M  is  the  monic  polynomial  of  degree  n  defined  by 

P{X)  =  det(X/n  —  M), 

where  as  usual  In  is  the  n  x  n  identity  matrix.  We  want  to  compute  the  coeffi¬ 
cients  of  P{X).  Note  that  the  constant  term  of  P(X )  is  equal  to  (—  l)n  det(M), 
and  more  generally  the  coefficients  of  P(X)  can  be  expressed  as  the  sum  of 
the  so-called  principal  minors  of  M  which  are  sub-determinants  of  M.  To 
compute  the  coefficients  of  P(X)  in  this  manner  is  usually  not  the  best  way 
to  proceed.  (In  fact  the  number  of  such  minors  grows  exponentially  with  n.) 
In  addition  to  the  method  which  I  have  just  mentioned,  there  are  essentially 
four  methods  for  computing  P{X). 

The  first  method  is  to  apply  the  definition  directly,  and  to  use  the  Gauss- 
Bareiss  algorithm  for  computing  det(XIn  —  M),  this  matrix  considered  as 
having  coefficients  in  the  ring  K[X].  Although  computing  in  AT[X]  is  more 
expensive  than  computing  in  K,  this  method  can  be  quite  fast  in  some  cases. 
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The  second  method  is  to  apply  Lagrange  interpolation.  In  our  special  case, 
this  gives  the  following  formula. 


det  (XIn  —  M)  =  ^  det  (kln  —  M)  jQ 

k=0 


(X-j) 
(*  -  J) ' 


This  formula  is  easily  checked  since  both  sides  are  polynomials  of  degree 
less  than  or  equal  to  n  which  agree  on  the  n  -P  1  points  X  =  i  for  0  <  i  <  n. 

Hence,  to  compute  the  characteristic  polynomial  of  M,  it  is  enough  to 
compute  n  4- 1  determinants,  and  this  is  usually  faster  than  the  first  method. 
Since  multiplication  and  division  by  small  constants  can  be  neglected  in  timing 
estimates,  this  method  requires  asymptotically  n4/ 3  multiplications/divisions 
when  we  use  ordinary  Gaussian  elimination. 

The  third  method  is  based  on  the  computation  of  the  adjoint  matrix  or 
comatrix  of  M,  i.e.  the  matrix  MadJ  whose  coefficient  of  row  i  and  column  j  is 
equal  to  (— 1)*+J  times  the  sub-determinant  of  M  obtained  by  removing  row 
j  and  column  i  (note  that  i  and  j  are  reversed).  From  the  expansion  rule  of 
determinants  along  rows  or  columns,  it  is  clear  that  this  matrix  satisfies  the 
identity 

MMadj  =  MadjM  =  det  {M)In. 

We  give  the  method  as  an  algorithm. 


Algorithm  2.2.7  (Characteristic  Polynomial  and  Adjoint  Matrix).  Given  an 
n  x  n  matrix  M,  this  algorithm  computes  the  characteristic  polynomial  P(X)  = 
det(XZn  —  M)  of  M  and  the  adjoint  matrix  Madj  of  M.  We  use  an  auxiliary 
matrix  C  and  auxiliary  elements  a*. 

1.  [Initialize]  Set  i  <—  0,  C  *—  In,  ao  <—  1. 

2.  [Finished?]  Set  i  *—  i  -I- 1.  If  i  =  n  set  an  < - Tr(MC)/n,  output  P(X)  <— 

J2o<i<n  aiXn~l <  Ma<Jj  <—  (— l)n_1<7  and  terminate  the  algorithm. 

3.  [Compute  next  a*  and  C\  Set  C  <—  MC,  ai  < - Tr (C)/i,  C  <—  C +ailn  and 

go  to  step  2. 


Before  proving  the  validity  of  this  algorithm,  we  prove  a  lemma. 

Lemma  2.2.8.  Let  M  be  an  n  x  n  matrix,  A(X)  be  the  adjoint  matrix  of 
XIn  —  M,  and  P(X)  the  characteristic  polynomial  of  M.  We  have  the  identity 

Tr(A(X))  =  P'{X). 


Proof.  Recall  that  the  determinant  is  multilinear,  hence  the  derivative  of  an 
n  x  n  determinant  is  equal  to  the  sum  of  the  n  determinants  obtained  by 
replacing  the  j-th  column  by  its  derivative,  for  1  <  j  <  n.  In  our  case,  calling 
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Ej  the  columns  of  the  identity  matrix  (i.e.  the  canonical  basis  of  Kn),  we 
have,  after  expanding  the  determinants  along  the  j-th  column 

P'(X)  =  (det (XI  -  M))'  =  £  A^X) 

l<j<n 


where  Ajj(X )  is  the  (n— l)x(n— 1)  sub-determinant  of  XI -M  obtaining  by 
removing  row  and  column  j,  i.e.  Ajj  is  the  coefficient  of  row  and  column  j  of 
the  adjoint  matrix  A(X),  and  this  proves  the  lemma.  □ 

Proof  of  the  Algorithm.  Call  A(X)  the  adjoint  matrix  of  XIn—M.  We  can  write 
MX)  =  £0<i<n-  1  CiXn  1  1  with  constant  matrices  C*.  From  the  lemma,  it 
follows  that  if  P(JC)  =  X]o<i<n  we  have 

(n  -  i)a,i  =Tr(Ci). 


On  the  other  hand,  since  P(X)In  =  ( XIn —  M)A(X ),  we  obtain  by  comparing 
coefficients  Co  =  In  and  for  i  >  1 

Ci  =  MCi- 1  +  a,iln. 

Taking  traces,  this  gives  ( n-i)a,i  =  Tr  (MC*- 1 )  + no* ,  i.e.  a*  =  — Tr(MCi_i)/z. 
Finally,  it  is  clear  that  A(0)  =  Cn_i  is  the  adjoint  matrix  of  — M,  hence 
(— l)n_1Cn_i  is  the  adjoint  matrix  of  M,  thus  showing  the  validity  of  the 
algorithm.  □ 

The  total  number  of  operations  is  easily  seen  to  be  asymptotic  to  n4 
multiplications,  and  this  may  seem  slower  (by  a  factor  of  3)  than  the  method 
based  on  Lagrange  interpolation.  However,  since  no  divisions  are  required  the 
basic  multiplication/division  time  is  reduced  considerably — especially  when 
the  matrix  M  has  integral  entries,  and  hence  this  algorithm  is  in  fact  faster. 
In  addition,  it  gives  for  free  the  adjoint  matrix  of  M  (and  even  of  XIn  -  M 
if  we  want  it) . 

The  fourth  and  last  method  is  based  on  the  notion  of  Hessenberg  form  of 
a  matrix.  We  first  compute  a  matrix  H  which  is  similar  to  M  (i.e.  is  of  the 
form  PMP-1),  and  in  particular  has  the  same  characteristic  polynomial  as 
M,  and  which  has  the  following  form  (Hessenberg  form) 


/hiti 

hi,2 

hi, 3 

•  •  •  h\>n  \ 

k2 

h2,2 

h2,3 

.  .  .  h2,n 

H  = 

0 

kz 

^3,3 

•  •  •  H 3,n 

0 

0 

kn  hn  n  / 

In  this  form,  since  we  have  a  big  triangle  of  zeros  on  the  bottom  left,  it  is  not 
difficult  to  obtain  a  recursive  relation  for  the  characteristic  polynomial  of  H, 
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hence  of  M.  More  precisely,  if  pm(X)  is  the  characteristic  polynomial  of  the 
sub-matrix  of  H  formed  by  the  first  m  rows  and  columns,  we  have  po(X)  =  1 
and  the  recursion: 

■  m 

n  ki 

“j=i+ 1 

This  leads  to  the  following  algorithm. 

Algorithm  2.2.9  (Hessenberg) .  Given  an  n  x  n  matrix  M  =  ( m^j )  with 
coefficients  in  a  field,  this  algorithm  computes  the  characteristic  polynomial  of  M 
by  first  transforming  M  into  a  Hessenberg  matrix  as  above. 

1.  [Initialize]  Set  H  <—  M,  m  <—  2. 

2.  [Search  for  non-zero]  If  all  the  /ti)Tn_i  with  i  >  m  are  equal  to  0,  go  to  step 

4.  Otherwise,  let  i  >  m  be  the  smallest  index  such  that  ^  0.  Set 

t  <—  hijTn-i.  Then  if  i  >  m,  for  all  j  >  m  —  1  exchange  hij  and  hm,j  and 
exchange  column  Hi  with  column  Hm. 

3.  [Eliminate]  Fori  =  ra+1,  . . .  ,  n  do  the  following  if  h^m-i  ^  0  :u  *—  h^m-i/t, 
for  all  j  >m  set  hij  <—  h^j  —  uhm,j,  set  hi<m-\  <—  0,  and  finally  set  column 
Hm  <  Hm  "F  uHi. 

4.  [Hessenberg  finished?]  If  m  <n  —  1,  set  ra<—  m-f-1  and  go  to  step  2. 

5.  [Initialize  characteristic  polynomial]  Set  po(X)  <—  1  and  m  <—  1. 

6.  [Initialize  computation]  Set  pm(X)  *—  (X  —  hm,m)Pm-i{X)  and  t  *—  1. 

7.  [Compute  pm]  For  i  =  1,  . . .  ,  m  —  1  do  the  following:  set  t  <—  thm-i+i,m-i, 

)  ''  Pm )  llf,m—i,mPm—i—l\.-S*-)- 

8.  [Finished?]  If  m  <  n  set  m  <—  m  +  1  and  go  to  step  6.  Otherwise,  output 
Pn{X)  and  terminate  the  algorithm. 

This  algorithm  requires  asymptotically  only  n3  multiplications/divisions 
in  the  general  case,  and  this  is  much  better  than  the  preceding  algorithms 
when  n  is  large.  If  M  has  integer  coefficients  however,  the  Hessenberg  form  as 
well  as  the  intermediate  results  will  usually  be  non-integral  rational  numbers, 
hence  we  lose  all  the  advantage  of  the  reduced  operation  count,  since  the  time 
needed  for  the  basic  multiplications/divisions  will  be  large.  In  that  case,  one 
should  not  use  the  Hessenberg  algorithm  directly.  Instead,  one  should  apply 
it  to  compute  the  characteristic  polynomial  modulo  sufficiently  many  primes 
and  use  the  Chinese  remainder  theorem,  exactly  as  we  did  for  the  determinant. 
For  this,  we  need  bounds  for  the  coefficients  of  the  characteristic  polynomial, 
analogous  to  the  Hadamard  bound.  The  following  result,  although  not  optimal, 
is  easy  to  prove  and  gives  a  reasonably  good  estimate. 

Proposition  2.2.10.  Let  M  =  (rriij)  be  an  nxn  matrix ,  and  write  det (XIn  — 
M)  =  ]Ct) <k<nak^n~k  with  oo  =  1.  Let  B  be  an  upper  bound  for  the  moduli 
of  all  the  m  j  j .  Then  the  coefficients  a*,  satisfy  the  inequality 


m— l  ( 

pm(X)  =  (X-  hm,m)pm^(X)  -  Yl 

i= 1  \ 
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\ak\  <  kk>2Bk. 


Proof.  As  already  mentioned,  the  coefficient  ak  is  up  to  sign  equal  to  the  sum  of 
the  ( £ )  principal  k  x  k  minors.  By  Hadamard’s  inequality  (Proposition  2.2.4), 
each  of  these  minors  is  bounded  by  II CC  !mij|2)1//2  where  the  product  and 
the  sums  have  k  terms.  Hence  the  minors  are  bounded  by  ( kB2)k /2  =  kk/2Bk, 
and  this  gives  the  proposition.  □ 


Remarks. 

(1)  The  optimal  form  for  computing  the  characteristic  polynomial  of  a  matrix 
would  be  triangular.  This  is  however  not  possible  if  the  eigenvalues  of 
the  matrix  are  not  in  the  base  field,  hence  the  Hessenberg  form  can  be 
considered  as  the  second  best  choice. 

(2)  A  problem  related  to  computing  the  characteristic  polynomial,  is  to  com¬ 
pute  the  eigenvalues  (and  eigenvectors)  of  a  matrix,  say  with  real  or  com¬ 
plex  coefficients.  These  are  by  definition  the  roots  of  the  characteristic 
polynomial  P(X).  Therefore,  we  could  compute  P{X)  using  one  of  the 
above  methods,  then  find  the  roots  of  P(X)  using  algorithm  3.6.6  which 
we  will  see  later,  and  finally  apply  algorithm  2.2.1  to  get  the  eigenvectors. 
This  is  however  not  the  way  to  proceed  in  general  since  much  better  meth¬ 
ods  based  on  iterative  processes  are  available  from  numerical  analysis  (see 
[Gol-Van],  [PFTV]),  and  we  will  not  study  this  subject  here. 


2.3  Linear  Algebra  on  General  Matrices 

2.3.1  Kernel  and  Image 

We  now  come  to  linear  algebra  problems  which  deal  with  arbitrary  m  x  n 
matrices  M  with  coefficients  in  a  field  K.  Recall  from  above  that  M  can  be 
viewed  as  giving  a  generating  set  for  the  subspace  of  Km  generated  by  the 
columns  of  M,  or  as  the  matrix  of  a  linear  map  from  an  n-dimensional  space 
to  an  m-dimensional  space  with  respect  to  some  bases.  (Beware  of  the  order 
of  m  and  n.)  It  is  usually  conceptually  easier  to  think  of  M  in  this  way. 

The  first  basic  algorithm  that  we  will  need  is  for  computing  the  kernel  of 
Af,  i.e.  a  basis  for  the  space  of  column  vectors  X  such  that  MX  =  0.  The 
following  algorithm  is  adapted  from  [Knu2]. 


Algorithm  2.3.1  (Kernel  of  a  Matrix).  Given  an  m  x  n  matrix  M  =  {mij) 
with  1  <  i  <  m  and  1  <  j  <  n  having  coefficients  in  a  field  K,  this  algorithm 
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outputs  a  basis  of  the  kernel  of  M,  i.e.  of  column  vectors  X  such  that  MX  =  0. 

We  use  auxiliary  constants  c*  (1  <  i  <  m)  and  di  (1  <  i  <  n). 

1.  [Initialize]  Set  r  <—  0,  k  <—  1  and  for  i  =  1, . . .  ,ra,  set  c*  <—  0  (there  is  no 
need  to  initialize  di). 

2.  [Scan  column]  If  there  does  not  exist  a  j  such  that  1  <  j  <  m  with  ra^fc  ^  0 
and  Cj  =  0  then  set  r  <—  r  +  1,  dk  <—  0  and  go  to  step  4. 

3.  [Eliminate]  Set  d  < - mJ,k'  mj,k  * - 1  and  for  s  =  k  +  1, . . . , n  set  <— 

drrijjS.  Then  for  all  i  such  that  1  <  i  <  m  and  i  ^  j  set  d  <—  mitk,  m i,k  <—  0 
and  for  s  =  k  +  1, . . . ,  n  set  miyS  <—  rriijS  +  Finally,  set  Cj  <—  k  and 

dk  j- 

4.  [Finished?]  If  k  <  n  set  k  <—  k  +  1  and  go  to  step  2. 

5.  [Output  kernel]  (Here  r  is  the  dimension  of  the  kernel.)  For  every  k  such  that 
1  <  k  <  n  and  dk  =  0  (there  will  be  exactly  r  such  k),  output  the  column 
vector  X  =  (xi)i<i<n  defined  by 


[  rndi,k,  if  di  >  0 

Xi  =  ^  1,  if  i  =  k 

0,  otherwise. 

These  r  vectors  form  a  basis  for  the  kernel  of  M.  Terminate  the  algorithm. 

The  proof  of  the  validity  of  this  algorithm  is  not  difficult  and  is  left  as  an 
exercise  for  the  reader  (see  Exercise  8).  In  fact,  the  main  point  is  that  Cj  >  0 
if  and  only  if  rrijtCj  =  —  1  and  all  other  entries  in  column  Cj  are  equal  to  zero. 

Note  also  that  step  3  looks  complicated  because  I  wanted  to  give  as  effi¬ 
cient  an  algorithm  as  possible,  but  in  fact  it  corresponds  to  elementary  row 
operations. 

Only  a  slight  modification  of  this  algorithm  gives  the  image  of  M,  i.e.  a 
basis  for  the  vector  space  spanned  by  the  columns  of  M.  In  fact,  apart  from 
the  need  to  make  a  copy  of  the  initial  matrix  M,  only  step  5  needs  to  be 
changed. 


Algorithm  2.3.2  (Image  of  a  Matrix).  Given  an  m  x  n  matrix  M  =  ( rriij ) 
with  1  <  i  <  m  and  1  <  j  <  n  having  coefficients  in  a  field  K,  this  algorithm 
outputs  a  basis  of  the  image  of  M,  i.e.  the  vector  space  spanned  by  the  columns 
of  M.  We  use  auxiliary  constants  Ci  (1  <  i  <  m). 

1.  [Initialize]  Set  r  <—  0,  k  <—  1  and  for  *  =  1, . . . ,  m,  set  c*  <—  0,  and  let  N  <—  M 
(we  need  to  keep  a  copy  of  the  initial  matrix  M). 

2.  [Scan  column]  If  there  does  not  exists  a  j  such  that  1  <  j  <  m  with  mjtk  ±  0 
and  cj  =  0  then  set  r  <—  r  +  1,  dk  «-  0  and  go  to  step  4. 

3.  [Eliminate]  Set  d  < - mJ,k<  171  j,k  * - 1  and  for  s  =  k  +  1, . . . ,  n  set  mjyS  *— 

dm,jt3.  Then  for  all  i  such  that  1  <  i  <  m  and  i  ^  j  set  d  <—  <—  0 
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and  for  s  =  k  +  1, . . .  ,n  set  m^s  <—  m^s  -f  drrijjS.  Finally,  set  Cj  <—  k  and 
dk  j- 

4.  [Finished?]  If  k  <  n  set  k  *—  k  +  1  and  go  to  step  2. 

5.  [Output  image]  (Here  n  —  r  is  the  dimension  of  the  image,  i.e.  the  rank  of  the 
matrix  M.)  For  every  j  such  that  1  <  j  <  m  and  Cj  ^  0  (there  will  be  exactly 
n  —  r  such  j),  output  the  column  vector  NCj  (where  Nk  is  the  k- th  column  of 
the  initial  matrix  M).  These  n  —  r  vectors  form  a  basis  for  the  image  of  M. 
Terminate  the  algorithm. 

One  checks  easily  that  both  the  kernel  and  image  algorithms  require 
asymptotically  n2m( 2  multiplications/divisions  in  general. 

There  are  many  possible  variations  on  this  algorithm  for  determining  the 
image.  For  example  if  only  the  rank  of  the  matrix  M  is  needed  and  not  an 
actual  basis  of  the  image,  simply  output  the  number  n  —  r  in  step  5.  If  one 
needs  to  also  know  the  precise  rows  and  columns  that  must  be  extracted  from 
the  matrix  M  to  obtain  a  non-zero  (n  — r)  x  (n—r)  determinant,  we  output  the 
pairs  (j,  Cj)  for  each  j  <  m  such  that  cj  ^0,  where  j  gives  the  row  number, 
and  Cj  the  column  number. 

Finally,  if  the  columns  of  M  represent  a  generating  set  for  a  subspace  of 
Km,  the  image  algorithm  enables  us  to  extract  a  basis  for  this  subspace. 

Remark.  We  recall  the  following  definition. 

Definition  2.3.3.  We  will  say  that  anmxn  matrix  M  is  in  column  echelon 
form  if  there  exists  r  <  n  and  a  strictly  increasing  map  f  from  [r  +  l,n]  to 
[l,m]  satisfying  the  following  properties. 

(1)  For  r  +  1  <  j  <  n,  =  1,  =  0  if  i  >  f(j)  and  =  0  if 

k  <  j. 

(2)  The  first  r  columns  of  M  are  equal  to  0. 


It  is  clear  that  the  definition  implies  that  the  last  n  —  r  columns  (i.e.  the 
non- zero  columns)  of  M  are  linearly  independent. 

It  can  be  seen  that  Algorithm  2.3.1  gives  the  basis  of  the  kernel  in  column 
echelon  form.  This  property  can  be  useful  in  other  contexts,  and  hence,  if 
necessary,  we  may  assume  that  the  basis  which  is  output  has  this  property. 
In  fact  we  will  see  later  that  any  subspace  can  be  represented  by  a  matrix  in 
column  echelon  form  (Algorithm  2.3.11). 

For  the  image,  the  basis  is  simply  extracted  from  the  columns  of  M,  no 
linear  combination  being  taken. 


60 


2  Algorithms  for  Linear  Algebra  and  Lattices 


2.3.2  Inverse  Image  and  Supplement 

A  common  problem  is  to  solve  linear  systems  whose  matrix  is  either  not  square 
or  not  invertible.  In  other  words,  we  want  to  generalize  algorithm  2.2.1  for 
solving  MX  =  B  where  M  is  an  m  x  n  matrix.  If  Xo  is  a  particular  solution 
of  this  system,  the  general  solution  is  given  by  X  =  Xq +Y  where  Y  G  ker(M), 
and  ker(M)  can  be  computed  using  Algorithm  2.3.1,  so  the  only  problem  is 
to  find  one  particular  solution  to  our  system  (or  to  show  that  none  exist).  We 
will  naturally  call  this  the  inverse  image  problem. 

If  we  want  the  complete  inverse  image  and  not  just  a  single  solution,  the 
best  way  is  probably  to  use  the  kernel  Algorithm  2.3.1.  Indeed,  consider  the 
augmented  m  x  (n  +  1)  matrix  Mi  obtained  by  adding  B  as  an  n  +  1-st 
column  to  the  matrix  M.  If  X  is  a  solution  to  MX  =  B,  and  if  X\  is  the 
n  +  1-vector  obtained  from  X  by  adding  —1  as  n -I-  1-st  component,  we  clearly 
have  M\X\  —  0.  Conversely,  if  X\  is  any  solution  of  M\X\  =  0,  then  either 
the  n  +  1-st  component  of  Xi  is  equal  to  0  (corresponding  to  elements  of 
the  kernel  of  M),  or  it  is  non-zero,  and  by  a  suitable  normalization  we  may 
assume  that  it  is  equal  to  —1,  and  then  the  first  n  components  give  a  solution 
to  MX  =  B.  This  leads  to  the  following  algorithm. 

Algorithm  2.3.4  (Inverse  Image).  Given  an  m  x  n  matrix  M  and  an  Tri¬ 
dimensional  column  vector  B,  this  algorithm  outputs  a  solution  to  MX  —  B  or 
outputs  a  message  saying  that  none  exist.  (The  algorithm  can  be  trivially  modified 
to  output  the  complete  inverse  image  if  desired.) 

1.  [Compute  kernel]  Let  Mi  be  the  m  x  (n-f  1)  matrix  whose  first  n  columns  are 
those  of  M  and  whose  n  +  1-st  column  is  equal  to  B.  Using  Algorithm  2.3.1, 
compute  a  matrix  V  whose  columns  form  a  basis  for  the  kernel  of  M\.  Let  r 
be  the  number  of  columns  of  V. 

2.  [Solution  exists?]  If  vn+i,j  =  0  for  all  j  such  that  1  <j<r,  output  a  message 

saying  that  the  equation  MX  =  B  has  no  solution.  Otherwise,  let  j  <  r  be 
such  that  un+ij  ^  0  and  set  d  < - l/vn+ij. 

3.  [Output  solution]  Let  X  =  (xi)i<i<n  be  the  column  vector  obtained  by  setting 
Xi  <—  dvitj.  Output  X  and  terminate  the  algorithm. 

Note  that  as  for  the  kernel  algorithm,  this  requires  asymptotically  n2m/ 2 
multiplications/divisions,  hence  is  roughly  three  times  slower  than  algorithm 
2.2.1  when  n  =  m. 

If  we  want  only  one  solution,  or  if  we  want  several  inverse  images  cor¬ 
responding  to  the  same  matrix  but  different  vectors,  it  is  more  efficient  to 
directly  use  Gaussian  elimination  once  again.  A  simple  modification  of  Algo¬ 
rithm  2.2.2  does  this  as  follows. 

Algorithm  2.3.5  (Inverse  Image  Matrix).  Let  M  be  an  m  x  n  matrix  and 
V  be  an  m  x  r  matrix,  where  n  <  m.  This  algorithm  either  outputs  a  message 
saying  that  some  column  vector  of  V  is  not  in  the  image  of  M,  or  outputs  an 
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n  x  r  matrix  X  such  that  V  =  MX.  We  assume  that  the  columns  of  M  are 
linearly  independent.  We  use  an  auxiliary  column  vector  C  and  we  recall  that  B [ 
(resp.  M',  X[ )  denotes  the  i-th  row  of  B  (resp.  M,  X). 

1.  [Initialize]  Set  j  <—  0  and  B  <—  V. 

2.  [Finished?]  Let  j  *—  j  +  1.  If  j  >  n  go  to  step  6. 

3.  [Find  non-zero  entry]  If  m^j  =  0  for  all  i  such  that  m  >  i  >  j,  output 
a  message  saying  that  the  columns  of  M  are  not  linearly  independent  and 
terminate  the  algorithm.  Otherwise,  let  i  be  some  index  such  that  m>i>j 
and  rriitj  ^  0. 

4.  [Swap?]  If  i  >  j,  for  l  =  j, . . .  ,  n  exchange  miti  and  rrijj,  and  exchange  the 
rows  B[  and  £?'•. 

5.  [Eliminate]  (Here  rrijj  ^  0.)  Set  d  <—  mjj  and  for  all  k  such  that  m>  k  >  j 
set  Ck  dmk,j.  Then  for  all  k  and  l  such  that  m  >  k  >  j  and  n  >  l  >  j 
set  mk,i  *—  mk,i  —  Ckm^i.  Finally,  for  all  k  such  that  m  >  k  >  j  set  B'k  «— 
B'k  -  CkBj  and  go  to  step  2. 

6.  [Solve  triangular  system]  (Here  the  first  n  rows  of  M  form  an  upper  tri¬ 
angular  matrix.)  For  i  =  n, n  —  1,...,1  (in  that  order)  set  X[  <—  ( B\  — 

Y2i<j<n 

7.  [Check  rest  of  matrix]  Check  whether  for  each  k  such  that  m  >  k  >  n  we 
have  B'k  =  M'kX.  If  this  is  not  the  case,  output  a  message  that  some  column 
vector  of  V  is  not  in  the  image  of  M.  Otherwise,  output  the  matrix  X  and 
terminate  the  algorithm. 

Note  that  in  practice  the  columns  of  M  represent  a  basis  of  some  vector 
space  hence  are  linearly  independent.  However,  it  is  not  difficult  to  modify 
this  algorithm  to  work  without  the  assumption  that  the  columns  of  M  are 
linearly  independent. 

Another  problem  which  often  arises  is  to  find  a  supplement  to  a  subspace 
in  a  vector  space.  The  subspace  can  be  considered  as  given  by  the  coordinates 
of  a  basis  on  some  basis  of  the  full  space,  hence  as  an  n  x  k  matrix  M  with 
k  <  n  of  rank  equal  to  k.  The  problem  is  to  supplement  this  basis,  i.e.  to 
find  an  invertible  n  x  n  matrix  B  such  that  the  first  A;  columns  of  B  form  the 
matrix  M.  A  basis  for  a  supplement  of  our  subspace  is  then  given  by  the  last 
n  —  k  columns  of  B. 

This  can  be  done  using  the  following  algorithm. 

Algorithm  2.3.6  (Supplement  a  Basis).  Given  an  nxA  matrix  M  with  k  <  n 
having  coefficients  in  a  field  K,  this  algorithm  either  outputs  a  message  saying 
that  M  is  of  rank  less  than  k,  or  outputs  an  invertible  nxn  matrix  B  such  that 
the  first  k  columns  of  B  form  the  matrix  M.  Recall  that  we  denote  by  Bj  the 
columns  of  B. 

1.  [Initialize]  Set  s  <—  0  and  B  In. 
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2.  [Finished?]  If  s  =  k,  then  output  B  and  terminate  the  algorithm. 

3.  [Search  for  non-zero]  Set  s  <—  s  -F  1.  Let  t  be  the  smallest  j  >  s  such  that 
mM  7^  0,  and  set  d  m^l .  If  such  a  t  <n  does  not  exist,  output  a  message 
saying  that  the  matrix  M  is  of  rank  less  than  k  and  terminate  the  algorithm. 

4.  [Modify  basis  and  eliminate]  Set  Bt  <—  Bs  (if  t  ^  s),  then  set  Bs  <—  Ms. 
Then  for  j  =  s  +  1, . . . ,  k,  do  as  follows.  Exchange  msj  and  mtj  (if  t  s ). 
Set  msj  <—  dmStj.  Then,  for  all  i  ^  s  and  i  ^  t,  set  rriij  <—  rriij  —  mitSmSfj. 
Finally,  go  to  step  2. 

Proof.  This  is  an  easy  exercise  in  linear  algebra  and  is  left  to  the  reader 
(Exercise  9).  Note  that  the  elimination  part  of  step  4  ensures  that  the  matrix 
BM  stays  constant  throughout  the  algorithm,  and  at  the  end  of  the  algorithm 
the  first  k  rows  of  the  matrix  M  form  the  identity  matrix  Ik ,  and  the  last  n  —  k 
rows  are  equal  to  0.  □ 

Often  one  needs  to  find  the  supplement  of  a  subspace  in  another  subspace 
and  not  in  the  whole  space.  In  this  case,  the  simplest  solution  is  to  use  a 
combination  of  Algorithms  2.3.5  and  2.3.6  as  follows. 

Algorithm  2.3.7  (Supplement  a  Subspace  in  Another).  Let  V  (resp.  M)  be 
an  m  x  r  (resp.  m  x  n)  matrix  whose  columns  form  a  basis  of  some  subspace 
F  (resp.  E)  of  Km  with  r  <  n  <  m.  This  algorithm  either  finds  a  basis  for  a 
supplement  of  F  in  E  or  outputs  a  message  saying  that  F  is  not  a  subspace  of 
E. 

1.  [Find  new  coordinates]  Using  Algorithm  2.3.5,  find  an  n  x  r  inverse  image 
matrix  X  such  that  V  —  MX.  If  such  a  matrix  does  not  exist,  output  a 
message  saying  that  F  is  not  a  subspace  of  E  and  terminate  the  algorithm. 

2.  [Supplement  X]  Apply  Algorithm  2.3.6  to  the  matrix  X,  thus  giving  an  n  x  n 
matrix  B  whose  first  r  columns  form  the  matrix  X. 

3.  [Supplement  F  in  E]  Let  C  be  the  n  x  n  —  r  matrix  formed  by  the  last  n  —  r 
columns  of  B.  Output  MC  and  terminate  the  algorithm  (the  columns  of  MC 
will  form  a  basis  for  a  supplement  of  F  in  E). 

Note  that  in  addition  to  the  error  message  of  step  1,  Algorithms  2.3.5  and 
2.3.6  will  also  output  error  messages  if  the  columns  of  V  or  M  are  not  linearly 
independent. 


2.3.3  Operations  on  Subspaces 

The  final  algorithms  that  we  will  study  concern  the  sum  and  intersection  of 
two  subspaces.  If  M  and  M'  are  m  x  n  and  mx  nf  matrices  respectively,  the 
columns  of  M  (resp.  M')  span  subspaces  V  (resp.  V')  of  Km.  To  obtain  a 
basis  for  the  sum  V  +  V'  is  very  easy. 
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Algorithm  2.3.8  (Sum  of  Subspaces).  Given  anroxn  (resp.  m  x  n ')  matrix 
M  (resp.  M')  whose  columns  span  a  subspace  V  (resp.  V7)  of  Km,  this  algorithm 
finds  a  matrix  N  whose  columns  form  a  basis  for  V  +  V' . 

1.  [Concatenate]  Let  M\  be  the  m  x  (n  +  n')  matrix  obtained  by  concatenating 
side  by  side  the  matrices  M  and  M'.  (Hence  the  first  n  columns  of  M\  are 
those  of  M,  the  last  n'  those  of  M' .) 

2.  Using  Algorithm  2.3.2  output  a  basis  of  the  image  of  Mi  and  terminate  the 
algorithm. 

Obtaining  a  basis  for  the  intersection  V  fl  V'  is  not  much  more  difficult. 

Algorithm  2.3.9  (Intersection  of  Subspaces).  Given  an  m  x  n  (resp.  m  x  n') 
matrix  M  (resp.  M')  whose  columns  span  a  subspace  V  (resp.  V')  of  Km,  this 
algorithm  finds  a  matrix  N  whose  columns  form  a  basis  for  V  fl  V' . 

1.  [Compute  kernel]  Let  M\  be  the  mx  (n+n')  matrix  obtained  by  concatenating 
side  by  side  the  matrices  M  and  M'.  (Hence  the  first  n  columns  of  M\  are 
those  of  M,  the  last  n'  those  of  M' .)  Using  Algorithm  2.3.1  compute  a  basis 
of  the  kernel  of  Mi,  given  by  an  (n  +  n')  x  p  matrix  N  for  some  p. 

2.  [Compute  intersection]  Let  N\  be  the  nxp  matrix  obtained  by  extracting  from 
N  the  first  n  rows.  Set  M2  <—  MN\,  output  the  matrix  obtained  by  applying 
Algorithm  2.3.2  to  M2  and  terminate  the  algorithm.  (Note  that  if  we  know 
beforehand  that  the  columns  of  M  (resp.  M')  are  also  linearly  independent, 
i.e.  form  a  basis  of  V  (resp.  V'),  we  can  simply  output  the  matrix  M2  without 
applying  Algorithm  2.3.2.) 

Proof.  We  will  constantly  use  the  trivial  fact  that  a  column  vector  B  is  in  the 
span  of  the  columns  of  a  matrix  M  if  and  only  if  there  exists  a  column  vector 
X  such  that  B  —  MX. 

Let  N[  be  the  n'  x  p  matrix  obtained  by  extracting  from  N  the  last  n' 
rows.  By  block  matrix  multiplication,  we  have  MN\  +  M'N[  =  0.  If  Bi  is  the 
i- th  column  of  M2  =  MN\  then  Bi  £  V,  but  Bi  is  also  equal  to  the  opposite 
of  the  i-th  column  of  M’N[,  hence  Bi  £  V'.  Conversely,  let  B  £  V ft  V'.  Then 
we  can  write  B  =  MX  =  M'X'  for  some  column  vectors  X  and  X'.  If  Y  is 
the  n  4-  n'-dimensional  column  vector  whose  first  n  (resp.  last  nf)  components 
are  X  (resp.  — X '),  we  clearly  have  M\Y  =  0,  hence  Y  =  NC  for  some  column 
vector  C.  In  particular,  X  =  N\C  hence  B  =  MNiC  =  M2C,  so  B  belongs 
to  the  space  spanned  by  the  columns  of  M2.  It  follows  that  this  space  is  equal 
to  V  fl  V7,  and  the  image  algorithm  gives  us  a  basis. 

If  the  columns  of  M  (resp.  M')  are  linearly  independent,  then  it  is  left 
as  an  easy  exercise  for  the  reader  to  check  that  the  columns  of  M2  are  also 
linearly  independent  (Exercise  12),  thus  proving  the  validity  of  the  algorithm. 

□ 


As  mentioned  earlier,  a  subspace  V  of  Km  can  be  represented  as  an  m  x  n 
matrix  M  =  M(V )  whose  columns  are  the  coordinates  of  a  basis  of  V  on  the 
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canonical  basis  of  Km.  This  representation  depends  entirely  on  the  basis,  so 
we  may  hope  to  find  a  more  canonical  representation.  For  example,  how  do 
we  decide  whether  two  subspaces  V  and  W  of  Km  are  equal?  One  method  is 
of  course  to  check  whether  every  basis  element  of  W  is  in  the  image  of  the 
matrix  V  and  conversely,  using  Algorithm  2.3.4. 

A  better  method  is  to  represent  V  by  a  matrix  having  a  special  form,  in 
the  present  case  in  column  echelon  form  (see  Definition  2.3.3). 

Proposition  2.3.10.  If  V  is  a  subspace  of  Km ,  there  exists  a  unique  basis 
of  V  such  that  the  corresponding  matrix  M(V)  is  in  column  echelon  form. 

Proof  This  will  follow  immediately  from  the  following  algorithm.  □ 

Algorithm  2.3.11  (Column  Echelon  Form).  Given  an  m  x  n  matrix  M  this 
algorithm  outputs  a  matrix  N  in  column  echelon  form  whose  image  is  equal  to 
the  image  of  M  (i.e.  N  =  MP  for  some  invertible  n  x  n  matrix  P). 

1.  [Initialize]  Set  i  *—  m  and  k  *—  n. 

2.  [Search  for  non-zero]  Search  for  the  largest  integer  j  <  k  such  that  ^  0. 

If  such  a  j  does  not  exist,  go  to  step  4.  Otherwise,  set  d  <—  1  /m^j,  then  for 
l  1,  •  •  ■ ,  i  set  t  <  dmij,  mi,j  <  (if  j  ^  fc)  and  mi <  t. 

3.  [Eliminate]  For  all  j  such  that  1  <  j  <  n  and  j  ^  k  and  for  all  l  such  that 
1  <  l  <  i  set  mij  <—  mitj  -  mi^m^j.  Finally,  set  k  <—  k  -  1. 

4.  [Next  row]  If  i  =  1  output  M  and  terminate  the  algorithm.  Otherwise,  set 
i  <—  i  —  1  and  go  to  step  2. 

The  proof  of  the  validity  of  this  algorithm  is  easy  and  left  to  the  reader 
(see  Exercise  11).  The  number  of  required  multiplications/divisions  is  asymp¬ 
totically  n2(2m  -  n)/2  if  n  <  m  and  nm2/ 2  if  n  >  m. 

Since  the  non-zero  columns  of  a  matrix  which  is  in  column  echelon  form 
are  linearly  independent,  this  algorithm  gives  us  an  alternate  way  to  compute 
the  image  of  a  matrix.  Instead  of  obtaining  a  basis  of  the  image  as  a  subset  of 
the  columns,  we  obtain  a  matrix  in  column  echelon  form.  This  is  preferable  in 
many  situations.  Comparing  the  number  of  multiplications/divisions  needed, 
this  algorithm  is  slower  than  Algorithm  2.3.2  for  n  <  m,  but  faster  when 
n>  m. 


2.3.4  Remarks  on  Modules 

We  can  study  most  of  the  above  linear  algebra  problems  in  the  context  of 
modules  over  a  commutative  ring  with  unit  R  instead  of  vector  spaces  over  a 
field.  If  the  ring  R  is  an  integral  domain,  we  can  work  over  its  field  of  fractions 
K.  (This  is  what  we  did  in  the  algorithms  given  above  when  we  assumed  that 
the  matrices  had  integral  entries.)  However,  this  is  not  completely  satisfactory, 
since  the  answer  that  we  want  may  be  different.  For  example,  to  compute  the 
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kernel  of  a  map  defined  between  two  free  modules  of  finite  rank  (given  as 
usual  by  a  matrix),  finding  the  kernel  as  a  K- vector  space  is  not  sufficient, 
since  we  want  it  as  an  jR-module.  In  fact,  this  kernel  will  usually  not  be  a  free 
module,  hence  cannot  be  represented  by  a  matrix  whose  columns  form  a  basis. 
One  important  special  case  where  it  will  be  free  is  when  R  is  a  principal  ideal 
domain  (PID,  see  Chapter  4).  In  this  case  all  submodules  of  a  free  module  of 
finite  rank  are  free  of  finite  rank.  This  happens  when  R  =  Z  or  R  =  fc[A]  for 
a  field  k.  In  this  case,  asking  for  a  basis  of  the  kernel  makes  perfectly  good 
sense,  and  the  algorithm  that  we  have  given  is  not  sufficient.  We  will  see  later 
(Algorithm  2.4.10)  how  to  solve  this  problem. 

A  second  difficulty  arises  when  R  is  not  an  integral  domain,  because  of 
the  presence  of  zero-divisors.  Since  almost  all  linear  algebra  algorithms  involve 
elimination,  i.e.  division  by  an  element  of  R,  we  are  bound  at  some  point  to  get 
a  non-zero  non-invertible  entry  as  divisor.  In  this  case,  we  are  in  more  trouble. 
Sometimes  however,  we  can  work  around  this  difficulty.  Let  us  consider  for 
example  the  problem  of  solving  a  square  linear  system  over  Z/rZ,  where  r  is 
not  necessarily  a  prime.  If  we  know  the  factorization  of  r  into  prime  powers, 
we  can  use  the  Chinese  remainder  Theorem  1.3.9  to  reduce  to  the  case  where 
r  is  a  prime  power.  If  r  is  prime,  Algorithm  2.2.1  solves  the  problem,  and  if  r 
is  a  higher  power  of  a  prime,  we  can  still  use  Algorithm  2.2.1  applied  to  the 
field  K  =  Qp  of  p-adic  numbers  (see  Exercise  2) . 

But  what  are  we  to  do  if  we  do  not  know  the  complete  factorization  of  r? 
This  is  quite  common,  since  as  we  will  see  in  Chapters  8,  9  and  10  large  num¬ 
bers  (say  more  than  80  decimal  digits)  are  quite  hard  to  factor.  Fortunately, 
we  do  not  really  care.  After  extracting  the  known  factors  of  r,  we  are  left  with 
a  linear  system  modulo  a  new  r  for  which  we  know  (or  expect)  that  it  does 
not  have  any  small  factors  (say  none  less  than  106).  We  then  simply  apply 
Algorithm  2.2.1.  Two  things  may  happen.  Either  the  algorithm  goes  through 
with  no  problem,  and  this  will  happen  as  long  as  all  the  elements  which  are 
used  to  perform  the  elimination  (which  we  will  call  the  pivots)  are  coprime  to 
r.  This  will  almost  always  be  the  case  since  r  has  no  small  factors.  We  then 
get  the  solution  to  the  system.  Note  that  this  solution  must  be  unique  since 
the  determinant  of  M,  which  is  essentially  equal  to  the  product  of  the  pivots, 
is  coprime  to  r. 

The  other  possibility  is  that  we  obtain  a  pivot  p  which  is  not  coprime  to  r. 
Since  the  pivot  is  non-zero  (modulo  r),  this  means  that  the  GCD  (p,  r)  gives 
a  non-trivial  factor  of  r,  hence  we  split  r  as  a  product  of  smaller  (coprime) 
numbers  and  apply  Algorithm  2.2.1  once  again.  The  idea  of  working  “as  if”  r 
was  a  prime  can  be  applied  to  many  number-theoretic  algorithms  where  the 
basic  assumption  is  that  Z/rZ  is  a  field,  and  usually  the  same  procedure  can 
be  made  to  work.  H.  W.  Lenstra  calls  the  case  where  working  this  way  we 
find  a  non-trivial  factor  of  r  a  side  exit.  In  fact,  this  is  sometimes  the  main 
purpose  of  an  algorithm.  For  example,  the  elliptic  curve  factoring  algorithm 
(Algorithm  10.3.3)  uses  exactly  this  kind  of  side  exit  to  factor  r. 
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2.4  Z-Modules  and  the  Hermite  and  Smith  Normal 
Forms 

2.4.1  Introduction  to  Z-Modules 

The  most  common  kinds  of  modules  that  one  encounters  in  number  theory, 
apart  from  vector  spaces,  are  evidently  Z-modules,  i.e.  Abelian  groups.  The 
Z-modules  V  that  we  consider  will  be  assumed  to  be  finitely  generated ,  in 
other  words  there  exists  a  finite  set  (uj)i<i<jt  of  elements  of  V  such  that  any 
element  of  V  can  be  expressed  as  a  linear  combination  of  the  Vi  with  integral 
coefficients.  The  basic  results  about  such  Z-modules  are  summarized  in  the 
following  theorem,  whose  proof  can  be  found  in  any  standard  text  (see  for 
example  [Lang]). 

Theorem  2.4.1.  Let  V  be  a  finitely  generated  Z-module  (i.e.  Abelian  group). 

(1)  If\ tors  is  the  torsion  subgroup  of  V ,  i.e.  the  set  of  elements  v  €  V  such 
that  there  exists  m  €  Z  \  {0}  with  mv  =  0,  then  V^ors  is  a  finite  group,  and 
there  exists  a  non-negative  integer  n  and  an  isomorphism 

V  ~  Vtors  x  Zn 

( the  number  n  is  called  the  rank  of  V ). 

If  V  is  a  free  Z-module  (i.e.  ifV  ~  Zn,  or  equivalently  by  (1)  if  Vtors  := 
{0} ),  then  any  submodule  of  V  is  free  of  rank  less  than  or  equal  to  that  of 
V. 

IfV  is  a  finite  Z-module  (i.e.  by  (1)  if  V  is  of  zero  rank),  there  exists  n 
and  a  submodule  L  ofZn  (which  is  free  by  (2))  such  that  V  ~  Z n/L. 


(2) 

(3) 


Note  that  (2)  and  (3)  are  easy  consequences  of  (1)  (see  Exercise  13). 

This  theorem  shows  that  the  study  of  finitely  generated  Z-modules  splits 
naturally  into,  on  the  one  hand  the  study  of  finite  Z-modules  (which  we  will 
usually  denote  by  the  letter  G  for  (finite  Abelian)  group),  and  on  the  other 
hand  the  study  of  free  Z-modules  of  finite  rank  (which  we  will  usually  denote 
by  the  letter  L  for  lattice  (see  Section  2.5)).  Furthermore,  (3)  shows  that 
these  notions  are  in  some  sense  dual  to  each  other,  so  that  we  can  in  fact 
study  only  free  Z-modules,  finite  Z-modules  being  considered  as  quotients  of 
free  modules. 

Studying  free  modules  L  puts  us  in  almost  the  same  situation  as  studying 
vector  spaces.  In  particular,  we  will  usually  consider  L  to  be  a  submodule 
of  some  Zm,  and  we  will  represent  L  as  an  m  x  n  matrix  M  whose  columns 
give  the  coordinates  of  a  basis  of  L  on  the  canonical  basis  of  Zm.  Such  a 
representation  is  of  course  not  unique,  since  it  depends  on  the  choice  of  a 
basis  for  L.  In  the  case  of  vector  spaces,  one  of  the  ways  to  obtain  a  more 
canonical  representation  was  to  transform  the  matrix  M  into  column  echelon 
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form.  Since  this  involves  elimination,  this  is  not  possible  anymore  over  Z. 
Nonetheless,  there  exists  an  analogous  notion  which  is  just  as  useful,  called  the 
Hermite  normal  form  (abbreviated  HNF) .  Another  notion,  called  the  Smith 
normal  form  (abbreviated  SNF)  allows  us  to  represent  finite  Z-modules. 


2.4.2  The  Hermite  Normal  Form 

The  following  definition  is  the  analog  of  Definition  2.3.3  for  Z-modules. 

Definition  2.4.2.  We  will  say  that  anmxn  matrix  M  =  ( m^j )  with  integer 
coefficients  is  in  Hermite  normal  form  (abbreviated  HNF)  if  there  exists  r  <  n 
and  a  strictly  increasing  map  f  from  [r  +  l,n]  to  [l,m]  satisfying  the  following 
properties. 

(1)  For  r  +  1  <  j  <  n,  mf^)tj  >  1,  mitj  =  0  if  i  >  f(j)  and  0  <  mf(k)tj  < 
m /(*),*  if  k  <  j. 

(2)  The  first  r  columns  of  M  are  equal  to  0. 


Remark.  In  the  important  special  case  where  m  =  n  and  f(k)  =  k  (or 
equivalently  det(M)  ^  0),  M  is  in  HNF  if  it  satisfies  the  following  conditions. 

(1)  M  is  an  upper  triangular  matrix,  i.e.  m^j  =  0  if  i  >  j. 

(2)  For  every  i ,  we  have  >  0. 

(3)  For  every  j  >  i  we  have  0  <  m^j  <  m^i. 

More  generally,  if  n  >  ra,  a  matrix  M  in  HNF  has  the  following  shape 


/° 

0  .. 

.  0 

* 

*  ...  *\ 

0 

0  .. 

.  0 

0 

*  ...  * 

Vo 

0  .. 

..  0 

0 

...  0  */ 

where  the  last  m  columns  form  a  matrix  in  HNF. 

Theorem  2.4.3.  Let  A  be  anmxn  matrix  with  coefficients  in  Z.  Then  there 
exists  a  unique  m  x  n  matrix  B  =  (bij)  in  HNF  of  the  form  B  =  AU  with 
U  g  GLn(Z),  where  GLn(Z)  is  the  group  of  matrices  with  integer  coefficients 
which  are  invertible,  i.e.  whose  determinant  is  equal  to  ±1. 

Note  that  although  B  is  unique,  the  matrix  U  will  not  be  unique. 

The  matrix  W  formed  by  the  non-zero  columns  of  B  will  be  called  the 
Hermite  normal  form  of  the  matrix  A.  Note  that  if  A  is  the  matrix  of  any 
generating  set  of  a  sub-Z-module  L  of  Zm,  and  not  only  of  a  basis,  the  columns 
of  W  give  the  unique  basis  of  L  whose  matrix  is  in  HNF.  This  basis  will  be 
called  the  HNF  basis  of  the  Z-module  L,  and  the  matrix  W  the  HNF  of  L. 
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In  the  special  case  where  the  Z-module  L  is  of  rank  equal  to  m,  the  matrix 
W  will  be  upper  triangular,  and  will  sometimes  be  called  the  upper  triangular 
HNF  of  L. 

We  give  the  proof  of  Theorem  2.4.3  as  an  algorithm. 

Algorithm  2.4.4  (Hermite  Normal  Form).  Given  an  m  x  n  matrix  A  with 
integer  coefficients  (ajj)  this  algorithm  finds  the  Hermite  normal  form  W  of  A. 
As  usual,  we  write  w^j  for  the  coefficients  of  W,  Ai  (resp.  Wi)  for  the  columns 
of  A  (resp.  W). 

1.  [Initialize]  Set  i  m,  k  +—  n,  Z  <—  1  if  m  <n,  Z  <—  m  —  n  +  1  if  m>  n. 

2.  [Row  finished?]  If  all  the  a^j  with  j  <  k  are  zero,  then  if  a^k  <  0  replace 

column  Ak  by  -Ak  and  go  to  step  5. 

3.  [Choose  non-zero  entry]  Pick  among  the  non-zero  aij  for  j  <  k  one  with  the 
smallest  absolute  value,  say  a^.  Then  if  jo  <  k,  exchange  column  Ak  with 
column  Aj0.  In  addition,  if  <  0  replace  column  Ak  by  - Ak .  Set  b  <—  a^. 

4.  [Reduce]  For  j  =  1, . . . ,  k  —  1  do  the  following:  set  q  <—  [aij/ti],  and  Aj  <— 
Aj  —  qAk .  Then  go  to  step  2. 

5.  [Final  reductions]  Set  b  <—  If  b  =  0,  set  k  <—  k  +  1  and  go  to  step  6. 

Otherwise,  for  j  >  k  do  the  following:  set  q  <—  and  Aj  Aj  —  qAk . 

6.  [Finished?]  If  i  =  l  then  for  j  =  1, . . .  ,n  —  k  +  1  set  Wj  <—  Aj+k- 1  and 

terminate  the  algorithm.  Otherwise,  set  i  <—  i  —  1,  k  <—  k  —  1  and  go  to  step 
2. 

This  algorithm  terminates  since  one  can  easily  prove  that  |ai,jfc|  is  strictly 
decreasing  each  time  we  return  to  step  2  from  step  4.  Upon  termination,  it  is 
clear  that  W  is  in  Hermite  normal  form,  and  since  it  has  been  obtained  from 
A  by  elementary  column  operations  of  determinant  ±1,  W  is  the  HNF  of  A. 
We  leave  the  uniqueness  statement  of  Theorem  2.4.3  as  an  exercise  for  the 
reader  (Exercise  14).  □ 

Remarks. 

(1)  It  is  easy  to  modify  the  above  algorithm  (as  well  as  the  subsequent  ones) 
so  as  to  give  the  lower  triangular  HNF  of  A  in  the  case  where  A  is  of  rank 
equal  to  m. 

(2)  If  we  also  want  the  matrix  U  €  GLn(Z),  it  is  easy  to  add  the  corresponding 
statements  (see  for  example  Algorithm  2.4.10). 

Consider  the  very  special  case  m  =  1,  n  =  2  of  this  algorithm.  The  result 
will  be  (usually)  a  1  x  1  matrix  whose  unique  element  is  equal  to  the  GCD 
(ai5i,  ai)2).  Hence,  it  is  conceptually  easier,  and  usually  faster,  to  replace  in  the 
above  algorithm  divisions  by  (extended)  GCD’s.  We  can  then  choose  among 
several  available  methods  for  computing  these  GCD’s.  This  gives  the  following 
algorithm. 
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Algorithm  2.4.5  (Hermite  Normal  Form).  Given  an  m  x  n  matrix  A  with 
integer  coefficients  (aij)  this  algorithm  finds  the  Hermite  normal  form  W  of  A. 
We  use  an  auxiliary  column  vector  B. 

1.  [Initialize]  Set  i  <—  m,  j  <—  n,  k  <—  n,  /  =  1  if  m  <  n,  l  =  m  —  n  + 1  if  m  >  n. 

2.  [Check  zero]  If  j  =  1  go  to  step  4.  Otherwise,  set  j*—j  —  1,  and  if  a^j  =  0 
go  to  step  2. 

3.  [Euclidean  step]  Using  Euclid’s  extended  algorithm,  compute  ( u ,  v,  d )  such  that 
ua,itk  +  va,ij  =  d  =  gcd(ciitk,ai,j),  with  |u|  and  |v|  minimal  (see  below).  Then 
set  B  «—  uAk  +  vAj,  Aj  <—  (a^/ d)Aj  —  (a*j  / d)Ak,  Ak  *—  B,  and  go  to  step 
2. 

4.  [Final  reductions]  Set  b  <—  a^.  If  b  <  0  set  A ^  < - Ak  and  b  < - b.  Now  if 

b  =  0,  set  k<—k  +  1,  and  if  l  >  1  and  i  =  l  set  l*—  l  — l,  then  go  to  step  5, 
otherwise  for  j  >  k  do  the  following:  set  q  <—  [aij/b\,  and  Aj  <—  Aj  —  qAk. 

5.  [Finished?]  If  i  =  l  then  for  j  =  1, . . .  ,n  —  k  +  1  set  Wj  <—Aj+k- 1  and 
terminate  the  algorithm.  Otherwise,  set  i  *—  i  —  1,  k  <—  k  —  1,  j  *—k  and  go 
to  step  2. 

Important  Remark.  In  step  3,  we  are  asked  to  compute  (u,v,d)  with  |u| 
and  |u|  minimal.  The  meaning  of  this  is  as  follows.  We  must  choose  among  all 
possible  (u,  v) ,  the  unique  pair  such  that 

—  <  usign (b)  <  0  and  1  <  usign(a)  < 

In  fact,  the  condition  on  u  is  equivalent  to  the  condition  on  v  and  that  such 
a  pair  exists  and  is  unique  is  an  exercise  left  to  the  reader  (Exercise  15).  The 
sign  conditions  are  not  important,  they  could  be  reversed  if  desired,  but  it  is 
essential  that  when  d  =  |a|,  i.e.  when  a  |  b,  we  take  v  =  0.  If  this  condition  is 
not  obeyed,  the  algorithm  may  enter  into  an  infinite  loop.  This  remark  applies 
also  to  all  the  Hermite  and  Smith  normal  form  algorithms  that  we  shall  see 
below. 

Algorithms  2.4.4  and  2.4.5  work  entirely  with  integers,  and  there  are  no 
divisions  except  for  Euclidean  divisions,  hence  one  could  expect  that  it  be¬ 
haves  reasonably  well  with  respect  to  the  size  of  the  integers  involved.  Un¬ 
fortunately,  this  is  absolutely  not  the  case,  and  the  coefficient  explosion  phe¬ 
nomenon  occurs  here  also,  even  in  very  reasonable  situations.  For  example, 
Hafner-McCurley  ([Haf-McCur2])  give  an  example  of  a  20  x  20  integer  matrix 
whose  coefficients  are  less  than  or  equal  to  10,  but  which  needs  integers  of  up 
to  1500  decimal  digits  in  the  computations  of  Algorithm  2.4.4  or  Algorithm 
2.4.5  leading  to  its  HNF.  Hence,  it  is  necessary  to  improve  these  algorithms. 

One  modification  of  Algorithm  2.4.5  would  be  for  a  fixed  row  i,  instead 
of  setting  equal  to  zero  the  successive  aifj  for  j  =  k  —  1,  k  —  2, . . . ,  1  by  doing 
column  operations  between  columns  i  and  j,  to  set  these  a^j  equal  to  zero 
in  the  same  order,  but  now  doing  operations  between  columns  k  and  k  —  1, 
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then  k  —  1  and  k  —  2,  and  so  on  until  columns  2  and  1,  and  then  exchanging 
columns  1  and  k.  This  idea  is  due  to  Bradley  [Bra]. 

Still  another  modification  is  the  following.  In  Algorithm  2.4.5,  we  perform 
the  column  operations  as  follows:  (fc,fc  —  1),  (k,  k  —  2),  ...  ,  (fc,  1).  In  the 
modified  version  just  mentioned,  the  order  is  (k,  k  —  1),  (k  -  1,  k  —  2),  ...  , 
(2,1),  (l,fc).  One  can  also  for  row  i  do  as  follows.  Work  with  the  pair  of 
columns  {jufa)  where  and  a^j2  are  the  largest  and  second  largest  non¬ 
zero  elements  of  row  i  with  j  <  k.  Then  experiments  show  that  the  coefficient 
explosion  is  considerably  reduced,  and  actual  computational  experience  shows 
that  it  is  faster  than  the  preceding  versions.  However  this  is  still  insufficient 
for  our  needs. 

When  m  <n  and  A  is  of  rank  m  (in  which  case  W  is  an  upper  triangular 
matrix  with  non-zero  determinant  D),  an  important  improvement  suggested 
by  several  authors  (see  for  example  [Kan-Bac])  is  to  work  modulo  a  multiple 
of  the  determinant  of  W,  or  even  modulo  a  multiple  of  the  exponent  of  Z m  fW. 
(Note  that  D  is  equal  to  the  order  of  the  finite  Z-module  Z m/W;  the  exponent 
is  by  definition  the  smallest  positive  integer  e  such  that  eZm  C  W.  It  divides 
the  determinant.) 

In  the  case  where  m  =  n,  we  have  det(W)  =  ±  det(A)  hence  the  determi¬ 
nant  can  be  computed  before  doing  the  reduction  if  needed.  In  the  general  case 
however  one  does  not  know  det(W)  in  advance,  but  in  practice,  the  HNF  is 
often  used  for  obtaining  a  HNF-basis  for  a  Z-module  L  in  a  number  field  (see 
Chapter  4),  and  in  that  case  one  usually  knows  a  multiple  of  the  determinant 
of  L.  One  can  modify  all  of  the  above  mentioned  algorithms  in  this  way. 

These  modifications  are  based  on  the  following  additional  algorithm,  es¬ 
sentially  due  to  Hafner  and  McCurley  (see  [Haf-McCur2]): 

Algorithm  2.4.6  (HNF  Modulo  D ).  Let  A  be  an  m  x  n  integer  matrix  of  rank 
m.  Let  L  =  {h,j)i<i,j<m  be  the  m  x  m  upper  triangular  matrix  obtained  from 
A  by  doing  all  operations  modulo  D  in  any  of  the  above  mentioned  algorithms, 
where  D  is  a  positive  multiple  of  the  determinant  of  the  module  generated  by  the 
columns  of  A  (or  equivalently  of  the  determinant  of  the  HNF  of  A).  This  algorithm 
outputs  the  true  upper  triangular  Hermite  normal  form  W  =  (wi,j)i<i,j<m  of  A. 
We  write  Wi  and  Li  for  the  z-th  columns  of  W  and  L  respectively. 

1.  [Initialize]  Set  b  <—  D,  i  *—  m. 

2.  [Euclidean  step]  Using  a  form  of  Euclid's  extended  algorithm,  compute  ( u ,  v,  d) 
such  that  uli}i  +  vb  =  d  =  gcd(lifitb).  Then  set  Wi  <—  ( uLi  mod  b)  (recall 
that  a  mod  b  is  the  least  non-negative  residue  of  a  modulo  b).  If  d  =  b  (i.e.  if 
b  |  liti)  set  in  addition  <—  d  (if  d  ^  b,  this  will  already  be  true,  but  if  d  =  b 
we  would  have  Witi  =  0  if  we  do  not  include  this  additional  assignment). 

3.  [Finished?]  If  i  >  1,  set  b  <—  b/d,  i  <—  i  —  1  and  go  to  step  2.  Otherwise, 

for  i  =  m  -  1,  m  —  2, . . . ,  1,  and  for  j  =  i  +  1, . . . ,  m  set  q  <—  > 

Wj  <—  Wj  —  qWi.  Output  the  matrix  W  =  and  terminate  the 

algorithm. 
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We  must  prove  that  this  algorithm  is  valid.  Since  step  2  is  executed  exactly 
m  times,  the  algorithm  terminates,  so  what  we  need  to  prove  is  that  the 
matrix  W  that  the  algorithm  produces  is  indeed  the  HNF  of  A.  For  any 
m  x  n  matrix  M  of  rank  m,  denote  by  7 i(M)  the  GCD  of  all  the  i  x  i  sub¬ 
determinants  obtained  from  the  last  i  rows  of  M  for  1  <  i  <  m.  It  is  clear 
that  elementary  column  operations  like  those  of  Algorithms  2.4.4  or  2.4.5  leave 
these  quantities  unchanged.  Furthermore,  reduction  modulo  D  changes  these 
i  x  i  sub-determinants  by  multiples  of  D,  hence  does  not  change  the  GCD  of 
7 i{M)  with  D.  It  is  clear  that  7m-i+i(W )  =  w*,*  •  •  •  u>m,m  divides  det(W), 
hence  divides  D.  Therefore  we  have: 

wi,i  ‘  ‘  '  wm,m  =  gcd(D,  7m— H -l(W)) 

=  gcd(D,7m_i+i(A)) 
gcd(D,  7m_ i+i(L)) 

gcd(D,  liti  •  •  •  l-m,m )•  (It) 

hence  the  value  given  by  Algorithm  2.4.6  for  wmjrn  is  correct.  Call  Di  the 
value  of  b  for  the  value  i,  and  set  Pi  =  u^+1)i+1  ■  •  ■ Wm,m •  Then  if  we  assume 
that  the  diagonal  elements  Wjj  are  correct  for  j  >  i,  we  have  by  definition 
Di  =  D/Pi.  Hence,  if  we  divide  equation  (li+i)  by  Pi  we  obtain 

I  gcd(Dj,  •  •  •  ljritTTi} / Pi) 

for  1  <  i  <  m.  Now  if  we  divide  equation  (1*)  by  Pi  we  obtain 

=  g cd(Dj,  (1%^  •  •  ■  lm,m) / Pi)  =  gcd(Dj, 

by  the  preceding  formula,  hence  the  diagonal  elements  of  the  matrix  W  which 
are  output  by  Algorithm  2.4.6  are  correct.  Since  W  is  an  upper  triangular 
matrix,  it  follows  that  its  determinant  is  equal  to  the  determinant  of  the  HNF 
of  A. 

To  finish  the  proof  that  Algorithm  2.4.6  is  valid,  we  will  show  that  the 
columns  W*  =  (uLi  mod  Di)  output  by  the  algorithm  are  in  the  Z-module  L 
generated  by  the  columns  of  A.  By  the  remark  just  made,  this  will  show  that, 
in  fact,  the  Wi  are  a  basis  of  L,  hence  that  W  is  obtained  from  A  by  elementary 
transformations.  Since  step  3  of  the  algorithm  finishes  to  transform  W  into  a 
Hermite  normal  form,  W  must  be  equal  to  the  HNF  of  A.  Since 

VFj  =  citjAj  -I-  DiBi 

l<j<m 


where  the  Aj  are  the  columns  of  A,  is  a  (column)  vector  in  Zm  whose 
components  of  index  greater  than  i  are  zero,  and  the  Cij  are  integers,  the 
claim  concerning  the  Wi  follows  immediately  from  the  following  lemma: 

Lemma  2.4.7.  With  the  above  notations ,  for  every  i  with  1  <  i  <  m  and  any 
vector  B  whose  components  of  index  greater  than  i  are  zero ,  we  have  DiB  e  L. 
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Proof.  Consider  the  i  x  i  matrix  Ni  formed  by  the  first  i  rows  and  columns 
of  the  true  HNF  of  A.  We  already  have  proved  that  the  diagonal  elements  are 
Wjj  as  output  by  the  algorithm.  Now  if  one  considers  Zl  as  a  submodule  of 
Zm  by  considering  the  last  m  —  i  components  to  be  equal  to  0,  then  we  see 
that  the  columns  of  Ni  (extended  by  m  —  i  zeros)  are  Z-linear  combinations 
of  the  columns  Ai  of  A,  i.e.  are  in  L.  Now  det(iVi)  =  w\f\  •  •  •  Wij  and  by 
definition  A  is  a  multiple  of  •  ■  ■  w^i.  Hence,  if  Li  is  the  submodule  of  Z* 
generated  by  the  columns  of  Ni,  we  have  on  the  one  hand  Li  C  Z*  fl  L,  and 
on  the  other  hand,  since  det(A)  =  [Z*  :  Li],  we  have  det(iVi)Zt  C  Li  which 
implies  D{Ll  C  L,  and  this  is  equivalent  to  the  statement  of  the  lemma.  This 
concludes  the  proof  of  the  validity  of  Algorithm  2.4.6.  □ 

Note  that  if  we  work  modulo  D  in  Algorithm  2.4.5,  the  order  in  which 
the  columns  are  treated,  which  is  what  distinguishes  Algorithm  2.4.5  from 
its  variants,  is  not  really  important.  Furthermore,  the  proof  of  Algorithm 
2.4.6  shows  that  it  is  not  necessary  to  work  modulo  the  full  multiple  of  the 
determinant  D  in  Algorithm  2.4.5,  but  that  at  row  i  one  can  work  modulo  Di, 
which  can  be  much  smaller.  Finally,  note  that  in  step  2  of  Algorithm  2.4.5,  if 
we  have  worked  modulo  D  (or  Di),  it  may  happen  that  =  0.  In  that  case, 
it  is  necessary  to  set  a^k  <— A  (or  any  non-zero  multiple  of  Di).  Combining 
these  observations  leads  to  the  following  algorithm,  essentiallv  due  to  Domich 
et  al.  [DKT]. 

It  should  be  emphasized  that  all  reductions  modulo  R  should  be  taken 
in  the  interval  ]  —  R/2,R/2],  and  not  in  the  interval  [0,  R[.  Otherwise,  small 
negative  coefficients  will  become  large  positive  ones,  and  this  may  lead  to 
infinite  loops. 

Algorithm  2.4.8  (HNF  Modulo  D).  Given  an  m  x  n  matrix  A  with  integer 
coefficients  (a^)  of  rank  m  (hence  such  that  n  >  m),  and  a  positive  integer  D 
which  is  known  to  be  a  multiple  of  the  determinant  of  the  Z-module  generated 
by  the  columns  of  A,  this  algorithm  finds  the  Hermite  normal  form  W  of  A.  We 
use  an  auxiliary  column  vector  B. 

1.  [Initialize]  Set  i  <—  m,  j  <—  n,  k  <—  n,  R  <—  D. 

2.  [Check  zero]  If  j  =  1  go  to  step  4.  Otherwise,  set  j  <—  j  —  1,  and  if  aitj  =  0 
go  to  step  2. 

3.  [Euclidean  step]  Using  Euclid's  extended  algorithm,  compute  ( u,v,d )  such 
that  uai,k  +  vaij  =  d  =  gcd(aiyk,aitj),  with  |u|  and  |v|  minimal.  Then  set 
B  <—  uAk  +  vAj,  Aj  <—  (( aitk/d)Aj  —  ( aijfd)Ak )  mod  R,  Ak  <—  B  mod  R, 
and  go  to  step  2. 

4.  [Next  row]  Using  Euclid's  extended  algorithm,  find  ( u,v,d )  such  that  uaitk  + 
vR  =  d  =  gcd (aitk,R).  Set  Wi  <—  uAk  mod  jR  (here  taken  in  the  interval 
[0,  jR  —  1]).  If  Witi  =  0  set  Wi4  <—  jR.  For  j  =  i+  1, . . .  ,m  set  q  <—  [wi,j/witi\ 
and  Wj  <—  Wj  —  qWi  mod  R.  If  i =1,  output  the  matrix  W  =  {'Wi,j)i<i,j<m 
and  terminate  the  algorithm.  Otherwise,  set  R^R/d,  i<—i  —  1,  k  —  1, 
j  *—  k,  and  if  ai)k  =  0  set  a^k^R.  Go  to  step  2. 
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This  will  be  our  algorithm  of  choice  for  HNF  reduction,  at  least  when 
some  D  is  known  and  A  is  of  rank  m. 

Remark.  It  has  been  noted  (see  Remark  (2)  after  Algorithm  2.4.4)  that  it  is 
easy  to  add  statements  so  as  to  obtain  the  matrix  U  such  that  B  =  AU  where 
B  is  the  n  x  m  matrix  in  Hermite  normal  form  whose  non-zero  columns  form 
the  HNF  of  A.  In  the  case  of  modulo  D  algorithms  such  as  the  one  above,  it 
seems  more  difficult  to  do  so. 


2.4.3  Applications  of  the  Hermite  Normal  Form 

In  this  section,  we  will  see  a  few  basic  applications  of  the  HNF  form  of  a 
matrix  representing  a  free  Z-module.  Further  applications  will  be  seen  in  the 
context  of  number  fields  (Chapter  4). 

Image  of  an  Integer  Matrix.  First  note  that  finding  the  HNF  of  a  matrix 
using  Algorithm  2.4.5  is  essentially  analogous  to  finding  the  column  eche¬ 
lon  form  in  the  case  of  vector  spaces  (Algorithm  2.3.11).  In  particular,  if  the 
columns  of  the  matrix  represents  a  generating  set  for  a  free  module  L,  Algo¬ 
rithm  2.4.5  allows  us  to  find  a  basis  (in  fact  of  quite  a  special  form),  hence 
it  also  performs  the  same  role  as  Algorithm  2.3.2.  Contrary  to  the  case  of 
vector  spaces,  however,  it  is  not  possible  in  general  to  extract  a  basis  from  a 
generating  set  (this  would  mean  that  ( a,b )  =  |a|  or  (a,  6)  =  |6|  in  the  case 
m  =  1,  n  =  2),  hence  an  analog  of  Algorithm  2.3.2  cannot  exist. 

Kernel  of  an  Integer  Matrix.  We  can  also  use  Algorithm  2.4.5  to  find  the 
kernel  of  an  m  x  n  integer  matrix  A,  i.e.  a  Z-basis  for  the  free  sub-Z-module 
of  Zn  which  is  the  set  of  column  vectors  X  such  that  AX  =  0.  Note  that 
this  cannot  be  done  (at  least  not  without  considerable  extra  work)  by  using 
Algorithm  2.3.1  which  gives  only  a  Q-basis.  What  we  must  do  is  simply  keep 
track  of  the  matrix  U  £  GLn(Z)  such  that  B  =  AU  is  in  HNF.  Indeed,  we 
have  the  following  proposition. 

Proposition  2.4.9.  Let  A  be  an  mx  n  matrix,  B  =  AU  its  HNF  with  U  £ 
GLn(Z),  and  let  r  be  such  that  the  first  r  columns  of  B  are  equal  to  0.  Then 
a  h-basis  for  the  kernel  of  A  is  given  by  the  first  r  columns  of  U . 

Proof  If  Ui  is  the  z-th  column  of  U,  then  AUi  is  the  z-th  column  of  B  so  is 
equal  to  0  if  z  <  r.  Conversely,  let  X  be  a  column  vector  such  that  AX  =  0 
or  equivalently  BY  =  0  with  Y  =  U~1X.  Solving  the  system  BY  —  0  from 
bottom  up,  6/(fc),fc  >  0  for  k  >  r  (with  the  notation  of  Definition  2.4.2)  implies 
that  the  last  n  —  r  coordinates  of  Y  are  equal  to  0,  and  the  first  r  are 
arbitrary,  hence  the  first  r  canonical  basis  elements  of  Zn  form  a  Z-basis  for 
the  kernel  of  B,  and  upon  left  multiplication  by  U  we  obtain  the  proposition. 

□ 
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This  gives  the  following  algorithm. 

Algorithm  2.4.10  (Kernel  over  Z).  Given  an  m  x  n  matrix  A  with  integer 
coefficients  {dij),  this  algorithm  finds  a  Z-basis  for  the  kernel  of  A.  We  use  an 
auxiliary  column  vector  B  and  an  auxiliary  n  x  n  matrix  U. 

1.  [Initialize]  Set  i  <— m,  j  <—n,  k<^n,  U<—In,  l<—  1  if  m  <  n,  l  <—  m  —  n+1 
if  m  >  n. 

2.  [Check  zero]  If  j  =  1  go  to  step  4.  Otherwise,  set  j  <—  j  —  1,  and  if  aitj  =  0 
go  to  step  2. 

3.  [Euclidean  step]  Using  Euclid's  extended  algorithm,  compute  ( u,v,d )  such 

that  ua,itk  +  vdij  =  d  =  gcd^fc, a^),  with  \u\  and  |u|  minimal.  Then  set 
B  «-  uAk  +  vAj,  Aj  <-  ( aitk/d)Aj  -  ( Oitjjd)Ak ,  <-  B;  similarly  set 

B  <—  uUk  +  vUj,  Uj  <—  ( aitk/d)Uj  —  ( Oij/d^Uk ,  Uk  <—  B,  then  go  to  step  2. 

4.  [Final  reductions]  Set  b  <—  a^k-  If  b  <  0  set  Ak  < - Ak,  Uk  * - Uk  and 

b  < - b.  Now  if  b  =  0,  set  k  <—  A:  + 1  and  go  to  step  5,  otherwise  for  j  >  k 

do  the  following:  set  q  <-  [ai,j/b\,  Aj  <-  Aj  -  qAk  and  Uj  <-  Uj  —  qUk . 

5.  [Finished?]  If  i  =  /  then  for  j  =  1, . . . ,  k  —  1  set  Mj  <—  Uj,  output  the  matrix 
M  and  terminate  the  algorithm.  Otherwise,  set  i  <—  i  —  1,  k  *—  k  —  1,  j  <—  k 
and  go  to  step  2. 

Remark.  Although  this  algorithm  correctly  gives  a  Z-basis  for  the  kernel 
of  A,  the  coefficients  that  are  obtained  are  usually  large.  To  obtain  a  really 
useful  algorithm,  it  is  necessary  to  reduce  the  basis  that  is  obtained,  for  ex¬ 
ample  using  one  of  the  variants  of  the  LLL  algorithm  that  we  will  see  below 
(see  Section  2.6).  However,  it  is  desirable  to  obtain  directly  a  basis  of  good 
quality  that  avoids  introducing  large  coefficients.  This  can  be  done  using  the 
MLLL  algorithm  (see  Algorithm  2.7.2),  and  gives  an  algorithm  which  is  usu¬ 
ally  preferable. 

In  view  of  the  applications  to  number  fields,  limiting  ourselves  to  free 
submodules  of  some  Zm  is  a  little  too  restrictive.  In  what  follows  we  will 
simply  say  that  L  is  a  module  if  it  is  a  free  sub- Z- module  of  rank  m  of  Qm. 
Considering  basis  elements  of  L,  it  is  clear  that  there  exists  a  minimal  positive 
integer  d  such  that  dL  c  Zm.  We  will  call  d  the  denominator  of  L  with  respect 
to  Zm.  Then  the  HNF  of  L  will  be  by  definition  the  pair  {W,d),  where  W  is 
the  HNF  of  dL,  and  d  is  the  denominator  of  L. 

Test  for  Equality.  Since  the  HNF  representation  of  a  free  module  L  is 
unique,  it  is  clear  that  one  can  trivially  test  equality  of  modules:  their  denom¬ 
inator  and  their  HNF  must  be  the  same. 

Sum  of  Modules.  Given  two  modules  L  and  V  by  their  HNF,  we  can  com¬ 
pute  their  sum  L  +  V  =  {x  +  x',x  €  L,  x'  €  L'}  in  the  following  way.  Let 
(W,d)  and  {W ,  d')  be  their  HNF  representation.  Let  D  =  dd1  /(d,  d')  be  the 
least  common  multiple  of  d  and  d' .  Denoting  as  usual  by  Ai  the  i-th  column 
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of  a  matrix  A,  consider  the  m  x  2m  matrix  A  such  that  A*  =  ( D/d)Wi  and 
Am+i  =  {D/d')Wl  for  1  <  i  <  m,  then  it  is  clear  that  the  columns  of  A  gener¬ 
ate  D(L  +  Lr),  hence  if  we  compute  the  HNF  H  of  A  and  divide  D  and  H  by 
the  greatest  common  divisor  of  D  and  of  all  the  coefficients  of  H,  we  obtain 
the  HNF  normal  form  of  L  +  V .  Apart  from  the  treatment  of  denominators, 
this  is  similar  to  Algorithm  2.3.8. 

Test  for  Inclusion.  To  test  whether  V  c  L,  where  L  and  L'  are  given  by 
their  HNF,  the  most  efficient  way  is  probably  to  compute  N  =  L+L*  as  above, 
and  then  test  the  equality  N  =  L.  Note  that  if  d  and  d!  are  the  denominators 
of  L  and  V  respectively,  a  necessary  condition  for  V  C.  Lis  that  d'  |  d,  hence 
the  LCM  D  must  be  equal  to  d. 

Product  by  a  Constant.  This  is  especially  easy:  if  c  =  p/q  €  Q  with 
(p,  o)  —  1  and  q  >  0,  the  HNF  of  cL  is  obtained  as  follows.  Let  d\  be  the 
GCD  of  all  the  coefficients  of  the  HNF  of  L.  Then  the  denominator  of  cL  is 
qd/((p,d)(q,di)),  and  the  HNF  matrix  is  equal  to  p/{(p,d)(q,di))  times  the 
HNF  matrix  of  L. 

We  will  see  that  the  HNF  is  quite  practical  for  other  problems  also,  but 
the  above  list  is,  I  hope,  sufficiently  convincing. 


2.4.4  The  Smith  Normal  Form  and  Applications 

We  have  seen  that  the  Hermite  normal  form  permits  us  to  handle  free  Z- 
modules  of  finite  rank  quite  nicely.  We  would  now  like  a  similar  notion  which 
would  allow  us  to  handle  finite  Z-modules  G.  Recall  from  Theorem  2.4.1  (3) 
that  such  a  module  is  isomorphic  (in  many  ways  of  course)  to  a  quotient 
Zn/L  where  L  is  a  (necessarily  free)  submodule  of  Zn  of  rank  equal  to  n. 
More  elegantly  perhaps,  we  can  say  that  G  is  isomorphic  to  a  quotient  L' /L 
of  free  Z-modules  of  the  same  (finite)  rank  n.  Thus  we  can  represent  G  (still 
non-canonically)  by  an  n  x  n  matrix  A  giving  the  coordinates  of  some  Z-basis  of 
L  on  some  Z-basis  of  V .  In  particular,  A  will  have  non-zero  determinant,  and 
in  fact  the  absolute  value  of  the  determinant  of  A  is  equal  to  the  cardinality 
of  G,  i.e.  to  the  index  \L'  :  L]  (see  Exercise  18). 

The  freedom  we  now  have  is  as  follows.  Changing  the  Z-basis  of  L  is 
equivalent  to  right  multiplication  of  A  by  a  matrix  U  €  GLn(Z),  as  in  the 
HNF  case.  Changing  the  Z-basis  of  V  is  on  the  other  hand  equivalent  to  left 
multiplication  of  A  by  a  matrix  V  €  GLn(Z).  In  other  words,  we  are  allowed 
to  perform  elementary  column  and  row  operations  on  the  matrix  A  without 
changing  (the  isomorphism  class  of)  G.  This  leads  to  the  notion  of  Smith 
normal  form  of  A. 

Definition  2.4.11.  We  say  that  annx  n  matrix  B  is  in  Smith  normal  form 
(abbreviated  SNF)  if  B  is  a  diagonal  matrix  with  nonnegative  integer  coeffi¬ 
cients  such  that  bi+i:i+i  \  bij  for  all  i  <  n. 
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Then  the  basic  theorem  which  explains  the  use  of  this  definition  is  as 
follows. 


Theorem  2.4.12.  Let  A  be  an  n  x  n  matrix  with  coefficients  in  X  and  non¬ 
zero  determinant.  Then  there  exists  a  unique  matrix  in  Smith  normal  form  B 
such  that  B  =  VAU  with  U  and  V  elements  of  GLn(Z). 


If  we  set  d{  =  6^,  the  d{  are  called  the  elementary  divisors  of  the  matrix 


A,  and  the  theorem  can  be  written 


A  =  V‘ 


f  d\  0 
0  d2 

\  o  ... 


0\ 


0 

0  dn  J 


U ' 


with  di+ 1  |  di  for  1  <  i  <  n. 

This  theorem,  stated  for  matrices,  is  equivalent  to  the  following  theorem 
for  Z-modules. 

Theorem  2.4.13  (Elementary  Divisor  Theorem).  Let  L  be  a  X- submodule 
of  a  free  module  L'  and  of  the  same  rank.  Then  there  exist  positive  integers 
d\,  ...  ,  dn  ( called  the  elementary  divisors  of  L  in  L' )  satisfying  the  following 
conditions: 

(1)  For  every  i  such  that  1  <  i  <  n  we  have  di+ 1  |  di. 

(2)  As  X-modules,  we  have  the  isomorphism 

L'/L~  0  (ZMZ), 

l<i<n 

and  in  particular  \L'  :  L]  =  d\  ■  ■  •  dn  and  d\  is  the  exponent  of  V /L. 

(3)  There  exists  a  X-basis  (i>i,...,un)  of  L'  such  that  (d\Vi, . . . ,  dnvn)  is  a 
X-basis  of  L. 

Furthermore,  the  di  are  uniquely  determined  by  L  and  L' . 

Remarks. 

(1)  This  fundamental  theorem  is  valid  more  generally.  It  holds  for  finitely 
generated  (torsion)  free  modules  over  a  principal  ideal  domain  (PID,  see 
Chapter  4).  It  is  false  if  the  base  ring  R  is  not  a  PID:  applying  the  theorem 
to  n  =  1,  L'  —  R  and  L  any  integral  ideal  of  R,  it  is  clear  that  the  truth 
of  this  theorem  is  equivalent  to  the  PID  condition. 

(2)  We  have  stated  Theorem  2.4.12  only  for  square  matrices  of  non-zero  deter¬ 
minant.  As  in  the  Hermite  case,  it  would  be  easy  to  state  a  generalization 
valid  for  general  matrices  (including  non-square  ones).  In  practice,  this  is 
not  really  needed  since  we  can  always  first  perform  a  Hermite  reduction. 


2.4  Z-Modules  and  the  Hermite  and  Smith  Normal  Forms 
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The  proof  of  these  two  theorems  can  be  found  in  any  standard  textbook 
but  it  follows  immediately  from  the  algorithm  below. 

Since  we  are  going  to  deal  with  square  matrices,  as  with  the  case  of  the 
HNF,  it  is  worthwhile  to  work  modulo  the  determinant  (or  a  multiple).  In  most 
cases  this  determinant  (or  a  multiple  of  it)  is  known  in  advance.  It  should  also 
be  emphasized  again  that  all  reductions  modulo  R  should  be  taken  in  the 
interval  ]  -  R/2,  R/2],  and  not  in  the  interval  [0,  R[. 

The  following  algorithm  is  essentially  due  to  Hafner  and  McCurley  (see 
[Haf-McCur2]). 

Algorithm  2.4.14  (Smith  Normal  Form).  Given  an  nxn  non-singular  integral 
matrix  A  =  (aitj),  this  algorithm  finds  the  Smith  normal  form  of  A,  i.e.  outputs 
the  diagonal  elements  di  such  that  di+1  |  di.  Recall  that  we  denote  by  Ai  (resp. 
AQ  the  columns  (resp.  the  rows)  of  the  matrix  A.  We  use  a  temporary  (column 
or  row)  vector  variable  B. 

1.  [Initialize  i]  Set  i  <—  n,  R  |  det(A)|.  If  n  =  1,  output  di  <—  R  and  terminate 
the  algorithm. 

2.  [Initialize  j  for  row  reduction]  Set  j  <—  i,  c  <—  0. 

3.  [Check  zero]  If  j  =  1  go  to  step  5.  Otherwise,  set  j  «—  j  —  1.  If  a^j  =  0  go 
to  step  3. 

4.  [Euclidean  step]  Using  Euclid's  extended  algorithm,  compute  ( u,v,d )  such 
that  +  vaij  =  d  =  gcd(ai)i,aij),  with  u  and  v  minimal  (see  remark 
after  Algorithm  2.4.5).  Then  set  B  «—  uAi  +  vAj,  Aj  <—  (( aiti/d)Aj  — 
(< a,i}j/d)Ai )  mod  R,  Ai  <—  B  mod  R  and  go  to  step  3. 

5.  [Initialize  j  for  column  reduction]  Set  j  <—  i. 

6.  [Check  zero]  If  j  =  1  go  to  step  8.  Otherwise,  set  j  <—  j  —  1,  and  if  =  0 
go  to  step  6. 

7.  [Euclidean  step]  Using  Euclid’s  extended  algorithm,  compute  (u,u,  d)  such 
that  ua^i  +  vdjj  =  d  =  gcd(aj)i,  a^i),  with  u  and  v  minimal  (see  remark 
after  Algorithm  2.4.5).  Then  set  B  <—  uA^  +  vA'jt  A '•  <—  ((aiti/d)AJ  - 
(ajii/d)A,i)  mod  R,  A[  <—  B  mod  R,  c  <—  c  -I- 1  and  go  to  step  6. 

8.  [Repeat  stage  i?]  If  c  >  0  go  to  step  2. 

9.  [Check  the  rest  of  the  matrix]  Set  b  <—  For  1  <  k,l  <  i  check  whether 
b  |  a k,i-  As  soon  as  some  coefficient  is  not  divisible  by  b,  set  A[  <—  A^+A^ 
and  go  to  step  2. 

10.  [Next  stage]  (Here  all  the  a,k,i  for  1  <  k,l  <  i  are  divisible  by  b).  Output 
di  =  gcd(aiij,  R)  and  set  R  *—  R/di.  If  i  =  2,  output  d\  —  gcd(ai)i,  R)  and 
terminate  the  algorithm.  Otherwise,  set  i «—  i  —  1  and  go  to  step  2. 

This  algorithm  seems  complicated  at  first,  but  one  can  see  that  it  is  ac¬ 
tually  quite  straightforward,  using  elementary  row  and  column  operations  of 
determinant  ±1  to  reduce  the  matrix  A. 
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This  algorithm  terminates  (and  does  not  take  too  many  steps!)  since  each 
time  one  returns  to  step  2  from  step  9,  the  coefficient  a* has  been  reduced  at 
least  by  a  factor  of  2. 

The  proof  that  this  algorithm  is  valid,  i.e.  that  the  result  is  correct,  follows 
exactly  the  proof  of  the  validity  of  Algorithm  2.4.6.  If  we  never  reduced  modulo 
R  in  Algorithm  2.4.14,  it  is  clear  that  the  result  would  be  correct  (however 
the  coefficients  would  explode).  Incidentally,  this  gives  a  proof  of  Theorems 
2.4.12  and  2.4.13. 

Hence,  we  must  simply  show  that  the  transformations  done  in  step  10 
correctly  restore  the  values  of  di .  Denote  by  (A)  the  GCD  of  the  determinants 
of  all  ixi  sub-matrices  of  A,  and  not  only  from  the  first  i  rows  as  in  the  proof 
of  Algorithm  2.4.6.  Then,  in  a  similar  manner,  these  <5*  are  invariant  under 
elementary  row  and  column  operations  of  determinant  dbl.  Hence,  denoting 
by  A  the  diagonal  SNF  of  A,  by  D  the  determinant  of  A,  and  by  S  =  ( aitj ) 
the  final  form  of  the  matrix  A  at  the  end  of  Algorithm  2.4.14,  we  have: 

ui  '  '  '  un  gCQ^Z/,  ®n— i+1  ) ) 

=  gcd(D,<5n_i+i(A)) 

=  gcd(D,(5n_i+i(5)) 

gcd(D,  •  •  •  ttn.,n)*  (^i) 

Hence,  if  we  set  Pi  =  di+i  •  •  ■  dn,  exactly  as  in  the  proof  of  Algorithm  2.4.6  we 
obtain 

1  (D/Pi,  (®i+l,i+l  '  '  '  &n,n) / Pi) 

(divide  formula  (2*+i)  by  Pi),  then 

di  (D/Pii  (®i,t&i+l,t+l  ’  ’  '  &n,n)/ Pi ) 

(divide  (2*)  by  P*),  and  hence 

di  =  ( D/Pi,aiyi ). 

But  clearly  in  stage  i  of  the  algorithm,  R  =  D/Pi,  thus  proving  the  validity 
of  the  algorithm.  □ 

Note  that  we  have  chosen  an  order  for  the  di  which  is  consistent  with  our 
choice  for  Hermite  normal  forms,  but  which  is  the  reverse  of  the  one  which  is 
found  in  most  texts.  The  modifications  to  Algorithm  2.4.14  so  that  the  order 
is  reversed  are  trivial  (essentially  make  i  and  j  go  up  instead  of  down)  and 
are  left  to  the  reader. 

The  Smith  normal  form  will  mainly  be  used  as  follows.  Let  G  be  a  finite 
Z-module  (i.e.  a  finite  Abelian  group).  We  want  to  determine  the  structure  of 
G,  and  in  particular  its  cardinality.  Note  that  a  corollary  of  Theorem  2.4.13 
is  the  structure  theorem  for  finite  Abelian  groups:  such  a  group  is  isomorphic 
to  a  unique  direct  sum  of  cyclic  groups  Z/diZ  with  di+ 1  |  di. 
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We  can  then  proceed  as  follows.  By  theoretical  means,  we  find  some  integer 
n  and  a  free  module  V  of  rank  n  such  that  G  is  isomorphic  to  a  quotient  L'/L, 
where  L  is  also  of  rank  n  but  unknown.  We  then  determine  as  many  elements 
of  L  as  possible  (how  to  do  this  depends,  of  course,  entirely  on  the  specific 
problem)  so  as  to  have  at  least  n  elements  which  are  Q-linearly  independent. 
Using  the  Hermite  normal  form  Algorithm  2.4.5,  we  can  then  find  the  HNF 
basis  for  the  submodule  L\  of  L  generated  by  the  elements  that  we  have  found. 
Computing  the  determinant  of  this  basis  (which  is  trivial  since  the  basis  is  in 
triangular  form)  already  gives  us  the  cardinality  of  U {L\.  If  we  know  bounds 
for  the  order  of  G  (for  example,  if  we  know  the  order  of  G  up  to  a  factor  of 
y/2  from  above  and  below),  we  can  check  whether  L\  =  L.  If  not,  we  continue 
finding  new  elements  of  L  until  the  cardinality  check  shows  that  L\  =  L.  We 
can  then  compute  the  SNF  of  the  HNF  basis  (note  that  the  determinant  is 
now  known),  and  this  gives  us  the  complete  structure  of  G. 

We  will  see  a  concrete  application  of  the  process  just  described  in  the 
sub-exponential  computations  of  class  groups  (see  Chapter  5). 


Remark.  The  diagonal  elements  which  are  obtained  after  a  Hermite  Normal 
Form  computation  are  usually  not  equal  to  the  Smith  invariants.  For  example, 
(2  1  \ 

the  matrix  (  ^  ^  J  is  in  HNF,  but  its  Smith  normal  form  has  as  diagonal 

elements  (4,1). 


2.5  Generalities  on  Lattices 

2.5.1  Lattices  and  Quadratic  Forms 

We  are  now  going  to  add  some  extra  structure  to  free  Z-modules  of  finite  rank. 
Recall  the  following  definition. 

Definition  2.5.1.  Let  K  be  afield  of  characteristic  different  from  2,  and  let 
V  be  a  K -vector  space.  We  say  that  a  map  q  from  V  to  K  is  a  quadratic  form 
if  the  following  two  conditions  are  satisfied: 

(1)  For  every  X  e  K  and  x  €  V  we  have 

q(X  •  r)  =  A 2q{x). 

(2)  If  we  set  b(x,  y)  =  \{q{x+y)-q{x)-q{y))  thenb  is  a  (symmetric)  bilinear 
form,  i.e.  b(x  +  x\y )  =  b(x,y)  +  b(x',y)  and  b( X  -x,y)  =  Xb{x,y)  for  all 
X  £  K,  x,  x 1  and  y  in  V  ( the  similar  conditions  on  the  second  variable 
follow  from  the  fact  that  b(y,x)  =  b(x,y)). 


The  identity  b(x,x)  =  q(x)  allows  us  to  recover  q  from  b. 
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In  the  case  where  K  =  R,  we  say  that  q  is  positive  definite  if  for  all 
non-zero  x  G  V  we  have  q{x )  >  0. 

Definition  2.5.2.  A  lattice  L  is  a  free  Z-module  of  finite  rank  together  with 
a  positive  definite  quadratic  form  q  on  L  <g>  R. 


Let  be  a  ^  basis  of  L.  If  x  —  Xjbj  G  L  with  G  the 

definition  of  a  quadratic  form  implies  that 

q(x)=  with  qitj  =  b(bi,bj) 


where  as  above,  b  denotes  the  symmetric  bilinear  form  associated  to  q. 

The  matrix  Q  =  ( Qi,j)i<i,j<n  is  then  a  symmetric  matrix  which  is  positive 
definite  when  q  is  positive  definite.  We  have  6(x,  y)  =  YtQX  and  in  particular 
q(x)  =  XtQX  where  X  and  Y  are  the  column  vectors  giving  the  coordinates 
of  x  and  y  respectively  in  the  basis  (fy). 

We  will  say  that  two  lattices  (L,  q)  and  (Z/,  q')  are  equivalent  if  there  exists 
a  Z-module  isomorphism  between  L  and  V  sending  q  to  q' .  We  will  identify 
equivalent  lattices.  Also,  when  the  quadratic  form  is  understood,  we  will  write 
L  instead  of  (L,  q) . 

A  lattice  (L,  q)  can  be  represented  in  several  ways  all  of  which  are  useful. 
First,  one  can  choose  a  Z-basis  (bj)i<i<n  of  the  lattice.  Then  an  element 
of  x  G  L  will  be  considered  as  a  (column)  vector  X  giving  the  (integral) 
coordinates  of  x  on  the  basis.  The  quadratic  form  q  is  then  represented  by  the 
positive  definite  symmetric  matrix  Q  as  we  have  seen  above. 

Changing  the  Z-basis  amounts  to  replacing  X  by  PX  for  some  P  G 
GLn(Z),  hence  q{x)  =  ( PXfQ{PX )  =  XtQ,X  with  Q'  =  PtQP.  Hence, 
equivalence  classes  of  lattices  correspond  to  equivalence  classes  of  positive 
definite  symmetric  matrices  under  the  equivalence  relation  Q'  ~  Q  if  and  only 
if  there  exists  P  €  GLn(Z)  such  that  Q'  =  PtQP.  Note  that  det(P)  =  ±1, 
hence  the  determinant  of  Q  is  independent  of  the  choice  of  the  basis.  Since  Q 
is  positive  definite,  det(Q)  >  0  and  we  will  set  d(L)  =  det(Q)1/2  and  call  it 
the  determinant  of  the  lattice. 

A  second  way  to  represent  a  lattice  (L,  q)  is  to  consider  L  as  a  discrete 
subgroup  of  rank  n  of  the  Euclidean  vector  space  E  =  L< g>R.  Then  if  (b<)i<<<„ 
is  a  Z-basis  of  L,  it  is  also  by  definition  of  the  tensor  product  an  R-basis  of  E. 
The  matrix  of  scalar  products  Q  =  (b*  •  b^)i<ij<n  (where  b*  •  b j  =  b(hi,  b j)) 
is  then  called  the  Gram  matrix  of  the  bj.  If  we  choose  some  orthonormal  basis 
of  E,  we  can  then  identify  E  with  the  Euclidean  space  Rn  with  the  usual 
Euclidean  structure  coming  from  the  quadratic  form  q{x)  =  arf  H - 1-  a:2. 

If  B  is  the  n  x  n  matrix  whose  columns  give  the  coordinates  of  the  b*  on 
the  chosen  orthonormal  basis  of  E ,  it  is  clear  that  Q  =  BlB.  In  particular, 
d(L)  =  |  det(P)|.  Furthermore,  if  another  choice  of  orthonormal  basis  is  made, 
the  new  matrix  B'  will  be  of  the  form  B'  —  KB  where  K  is  an  orthogonal 
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matrix,  i.e.  a  matrix  such  that  KtK  —  KKl  =  In.  Thus  we  have  proved  the 
following  proposition. 

Proposition  2.5.3. 

(1)  If  Q  is  the  matrix  of  a  positive  definite  quadratic  form,  then  Q  is  the  Gram 
matrix  of  some  lattice  basis,  i.e.  there  exists  a  matrix  B  G  GLn(R)  such 
that  Q  =  BlB 

(2)  The  Gram  matrix  of  a  lattice  basis  b*  determines  this  basis  uniquely  up  to 
isometry.  In  other  words,  if  the  bj  and  the  b^  have  the  same  Gram  matrix, 
then  the  b^  can  be  obtained  from  the  b*  by  an  orthogonal  transformation. 
In  matrix  terms,  B'  =  KB  where  K  is  an  orthogonal  matrix. 


It  is  not  difficult  to  give  a  completely  matrix-theoretic  proof  of  this  propo¬ 
sition  (see  Exercise  20). 

It  follows  from  the  above  results  that  when  dealing  with  lattices,  it  is  not 
necessary  to  give  the  coordinates  of  the  b*  on  some  orthonormal  basis.  We 
can  simply  give  a  positive  definite  matrix  which  we  can  then  think  of  as  being 
the  Gram  matrix  of  the  b*. 

We  see  from  the  above  discussion  that  there  are  natural  bijections  between 
the  following  three  sets. 


{Isomorphism  classes  of  lattices  of  rank  n} , 

{Classes  of  positive  definite  symmetric  matrices  Q}/~  , 
where  Q1  ~  Q  if  and  only  if  Q'  =  PtQP  for  some  Pe  GLn(Z),  and 

GLn(R)/~  , 

where  B'  ~  B  if  and  only  if  B '  =  KBP  for  some  PeGLn(Z)  and  some 
orthogonal  matrix  K. 

Remarks. 

(1)  We  have  considered  L  in  particular  as  a  free  discrete  sub-Z-module  of  the 
n-dimensional  Euclidean  space  L  <g>  R.  In  many  situations,  it  is  desirable 
to  consider  L  as  a  free  discrete  sub-Z-module  of  some  Euclidean  space  E 
of  dimension  m  larger  than  n.  The  matrix  B  of  coordinates  of  a  basis  of 
L  on  some  orthonormal  basis  of  E  will  then  be  an  m  x  n  matrix,  but  the 
Gram  matrix  Q  =  BlB  will  still  be  an  n  x  n  symmetric  matrix. 

(2)  By  abuse  of  language,  we  will  frequently  say  that  a  free  Z-module  of  finite 
rank  is  a  lattice  even  if  there  is  no  implicit  quadratic  form. 
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2.5.2  The  Gram-Schmidt  Orthogonalization  Procedure 

The  existence  of  an  orthonormal  basis  in  a  Euclidean  vector  space  is  often 
proved  by  using  Gram-Schmidt  orthonormalization  (see  any  standard  text¬ 
book).  Doing  this  requires  taking  square  roots,  since  the  final  vectors  must  be 
of  length  equal  to  1 . 

For  our  purposes,  we  will  need  only  an  orthogonal  basis,  i.e.  a  set  of  mu¬ 
tually  orthogonal  vectors  which  are  not  necessarily  of  length  1.  The  same 
procedure  works,  except  we  do  not  normalize  the  length,  and  we  will  also  call 
this  the  Gram-Schmidt  orthogonalization  procedure.  It  is  summarized  in  the 
following  proposition. 

Proposition  2.5.4  (Gram-Schmidt).  Let  b{  be  a  basis  of  a  Euclidean  vector 
space  E.  Define  by  induction: 


i—  1 

b?  =  b<  -  £«jbJ  (l<«<n), 

3= 1 

where 

IHj  =  bi  •  bj/bj  •  b*  (1<j  <t<n), 

then  the  b*  form  an  orthogonal  (but  not  necessarily  orthonormal)  basis  of 
E,  b*  is  the  projection  of  b*  on  the  orthogonal  complement  of  X^7=i  = 

]Cj=i  and  the  matrix  M  whose  columns  gives  the  coordinates  of  the  b* 
in  terms  of  the  b*  is  an  upper  triangular  matrix  with  diagonal  terms  equal  to 
1.  In  particular,  if  d(L)  is  the  determinant  of  the  lattice  L,  we  have  d(L )2  = 

ni^nllbJII2. 

The  proof  is  trivial  using  induction.  □ 

We  will  now  give  a  number  of  corollaries  of  this  construction. 

Corollary  2.5.5  (Hadamard’s  Inequality).  Let  ( L,q )  be  a  lattice  of  deter¬ 
minant  d(L),  (bi)i<i<n  a  h-basis  of  L,  and  for  x  G  L  write  |x|  for  g(x)1/2. 
Then 

n 

dm  <nN- 

i=  1 

Equivalently,  if  B  is  an  n  x  n  matrix  then 

|det(B)|<  n  (  £  IM2)  • 

l<i<n  V  l<7<n  / 


Proof.  If  we  set  £»  =  |b*|2,  the  orthogonality  of  the  b?  implies  that 
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«(***)  =  N2  =  ^  +  E  &B> 

1  <j<i 

hence  d(L)2  =  rii<i<n^  —  rii<i<n  |t>i|2. 


□ 


Corollary  2.5.6.  Let  B  be  an  invertible  matrix  with  coefficients  in  R.  Then 
there  exist  unique  matrices  K,  A  and  N  such  that: 

(1)  B  =  KAN. 

(2)  K  is  an  orthogonal  matrix,  in  other  words  Kl  =  K~x. 

(3)  A  is  a  diagonal  matrix  with  positive  diagonal  coefficients. 

(4)  N  is  an  upper  triangular  matrix  with  diagonal  terms  equal  to  1. 


Note  that  this  Corollary  is  sometimes  called  the  Iwasawa  decomposition 
of  B  since  it  is  in  fact  true  in  a  much  more  general  setting  than  that  of  the 
group  GLn(R). 

Proof.  Let  B'  be  the  matrix  obtained  by  applying  the  Gram-Schmidt  process 
to  the  vectors  whose  coordinates  are  the  columns  of  B  on  the  standard  basis 
of  Rn.  Then,  by  the  proposition  we  have  B'  =  BN  where  N  is  an  upper 
triangular  matrix  with  diagonal  terms  equal  to  1.  Now  the  Gram-Schmidt 
process  gives  an  orthogonal  basis,  in  other  words  the  Gram  matrix  of  the  b* 
is  a  diagonal  matrix  D  with  positive  entries.  Let  A  be  the  diagonal  matrix 
obtained  from  D  by  taking  the  positive  square  root  of  each  coefficient  (we  will 
call  A  the  square  root  of  D).  Then  the  equality  B^B'  =  D  is  equivalent  to 
B'  =  K A  for  an  orthogonal  matrix  K,  hence  BN  =  K A  which  is  equivalent 
to  the  existence  statement  of  the  corollary. 

The  uniqueness  statement  also  follows  since  the  equality  B'  =  BN  = 
KA  means  that  the  b'  form  an  orthogonal  basis  which  can  be  expressed  on 
the  b i  via  an  upper  triangular  matrix  with  diagonal  terms  equal  to  1,  and 
the  procedure  for  obtaining  this  basis  (i.e.  the  Gram-Schmidt  coefficients)  is 
clearly  unique.  □ 

Remarks. 

(1)  The  requirement  that  the  diagonal  coefficients  of  A  be  positive  is  not 
essential,  and  is  given  only  to  insure  uniqueness. 

(2)  By  considering  the  inverse  matrix  and/or  the  transpose  matrix  of  B,  one 
has  the  same  result  with  N  lower  triangular,  or  with  B  =  NAK  instead 
of  KAN. 

(3)  T  =  AN  is  an  upper  triangular  matrix  with  positive  diagonal  coefficients, 
and  clearly  any  such  upper  triangular  matrix  T  can  be  written  uniquely 
in  the  form  AN  where  A  and  N  are  as  in  the  corollary.  Hence  we  can  use 
interchangeably  both  notations. 
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Another  result  is  as  follows. 

Proposition  2.5.7.  If  Q  is  the  matrix  of  a  positive  definite  quadratic  form, 
then  there  exists  a  unique  upper  triangular  matrix  T  with  positive  diagonal 
coefficients  such  that  Q  =  TlT  (or  equivalently  Q  =  NtDN  where  N  is  an 
upper  triangular  matrix  with  diagonal  terms  equal  to  1  and  D  is  a  diagonal 
matrix  with  positive  diagonal  coefficients). 

Proof.  By  Proposition  2.5.3,  we  know  that  there  exists  B  G  GLn(R)  such  that 
Q  =  BtB.  On  the  other  hand,  by  the  Iwasawa  decomposition  we  know  that 
there  exists  matrices  K  and  T  such  that  B  =  KT  with  K  orthogonal  and  T 
upper  triangular  with  positive  diagonal  coefficients  ( T  =  AN  in  the  notation 
of  Proposition  2.5.6).  Hence  Q  =  BlB  =  TlT  thus  showing  the  existence  of 
T. 

For  the  uniqueness,  note  that  if  TlT  =  TftT'  with  T  and  T'  upper  trian¬ 
gular,  then 


where  taking  inverses  is  justified  since  Q  is  a  positive  definite  matrix.  But 
the  left  hand  side  of  this  equality  is  a  lower  triangular  matrix,  while  the  right 
hand  side  is  an  upper  triangular  one,  hence  both  sides  must  be  equal  to  some 
diagonal  matrix  D ,  and  plugging  back  in  the  initial  equality  and  using  again 
the  invertibility  of  T,  we  obtain  that  D 2  is  equal  to  the  identity  matrix.  Now 
since  the  diagonal  coefficients  of  D  —  T'T-1  must  be  positive,  we  deduce  that 
D  itself  is  equal  to  the  identity  matrix,  thus  proving  the  proposition.  □ 

We  will  give  later  an  algorithm  to  find  the  matrix  T  (Algorithm  2.7.6). 


2.6  Lattice  Reduction  Algorithms 

2.6.1  The  LLL  Algorithm 

Among  all  the  Z  bases  of  a  lattice  L,  some  are  better  than  others.  The  ones 
whose  elements  are  the  shortest  (for  the  corresponding  norm  associated  to 
the  quadratic  form  q)  are  called  reduced.  Since  the  bases  all  have  the  same 
determinant,  to  be  reduced  implies  also  that  a  basis  is  not  too  far  from  being 
orthogonal. 

The  notion  of  reduced  basis  is  quite  old,  and  in  fact  in  some  sense  one 
can  even  define  an  optimal  notion  of  reduced  basis.  The  problem  with  this 
is  that  no  really  satisfactory  algorithm  is  known  to  find  such  a  basis  in  a 
reasonable  time,  except  in  dimension  2  (Algorithm  1.3.14),  and  quite  recently 
in  dimension  3  from  the  work  of  B.  Vallee  [Val]. 

A  real  breakthrough  came  in  1982  when  A.  K.  Lenstra,  H.  W.  Lenstra  and 
L.  Lovasz  succeeded  in  giving  a  new  notion  of  reduction  (what  is  now  called 
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LLL-reduction)  and  simultaneously  a  reduction  algorithm  which  is  determin¬ 
istic  and  polynomial  time  (see  [LLL]).  This  has  proved  invaluable. 

The  LLL  notion  of  reduction  is  as  follows.  Let  bi  ,b2, . . .  ,bn  be  a  basis  of  L. 
Using  the  Gram-Schmidt  orthogonalization  process,  we  can  find  an  orthogonal 
(not  orthonormal)  basis  b|,  b^,  . . .  ,b*  as  explained  in  Proposition  2.5.4. 

Definition  2.6.1.  With  the  above  notations ,  the  basis  bi,b2, . . . ,  bn  is  called 
LLL-reduced  if 

for  1  <  j  <  i  <  n 

and 

|b-  +v>i,i- ib-_i|2  >  ^|b*_!|2  for  1  <  i  <  n, 
or  equivalently 

|b*|2>  IK-il2- 

Note  that  the  vectors  b*  -I-  Piti~ ib*_x  and  b*_x  are  the  projections  of  b* 

*  n 

and  bj_  i  on  the  orthogonal  complement  of  £) ._ i  j  • 

Then  we  have  the  following  theorem: 

Theorem  2.6.2.  Let  bi,b2, . . .  ,bn  be  an  LLL-reduced  basis  of  a  lattice  L. 
Then 

(1) 

n 

d(L)  <  n  |bj|  <  2 

i=  1 

(2) 

|bj|  <  if  1  <  j  <  i  <  n, 

(3) 

|bi|  <  2(n~1)/4d(£)1/n, 

(4)  For  every  x  G  L  with  x/0  toe  have 

|bi|  <2<"-1)/2|x|, 

(5)  More  generally,  for  any  linearly  independent  vectors  xi , . . . ,  xt  €  L  we 
have 


|bj|<2(n  1)/2max(|xi|,...,|xt|)  /orl<j<£. 
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We  see  that  the  vector  bi  in  a  reduced  basis  is,  in  a  very  precise  sense,  not 
too  far  from  being  the  shortest  non-zero  vector  of  L.  In  fact,  it  often  is  the 
shortest,  and  when  it  is  not,  one  can,  most  of  the  time,  work  with  bi  instead 
of  the  actual  shortest  vector. 

Notation.  In  the  rest  of  this  chapter,  we  will  use  the  notation  x  •  y  instead 
of  6(x,  y)  where  b  is  the  bilinear  form  associated  to  q,  and  write  x2  instead  of 
x  x  =  q{x). 

Proof.  As  in  Corollary  2.5.5,  we  set  Bi  =  |b*|2.  The  first  inequality  of  (1) 
is  Corollary  2.5.5,  Since  the  bj  are  LLL-reduced,  we  have  Bi  >  (3/4  - 
Mi,  >  Bi-i/2  since  |/Xi,i-i|  <  1/2.  By  induction,  this  shows  that 

Bj  <  2l~i Bi  for  i>  j,  hence 


b?  < 


and  this  trivially  implies  Theorem  2.6.2  (1),  in  fact  with  a  slightly  better 
exponent  of  2.  Combining  the  two  inequalities  which  we  just  obtained,  we 
get  for  all  j  <  i,  b2  <  (2*-2  +  2l~J~1)Bi  which  implies  (2).  If  we  set  j  =  1 
in  (2)  and  take  the  product  of  (2)  for  i  =  1  to  i  =  n,  we  obtain  (b2)n  < 
2n(n“ i)/2  jQ1<i<n  ^  =  2n(n-1)/2d(L)2,  proving  (3).  For  (4),  there  exists  an  i 
such  that  x  =^2i<j<irj^j  —  Yh<j<i  s?b*  and  n  ^  0,  where  rj  €  Z  and 
Sj  €  K.  It  is  clear  from  the  definition  of  the  b*  that  r*  =  si}  hence 

|x|2  >  s?Bi  =  rfBi  >  Bi 

since  is  a  non-zero  integer,  and  since  by  (2)  we  know  that  Bi  >  21"i|b1|2> 
21  "jbi|2,  (4)  is  proved.  (5)  is  proved  by  a  generalization  of  the  present  argu¬ 
ment  and  is  left  to  the  reader.  □ 


Remark.  Although  we  have  lost  a  little  in  the  exponent  of  2  in  Theorem  2.6.2 
(1),  the  proof  shows  that  even  using  the  optimal  value  given  in  our  proof  would 
not  improve  the  estimate  in  (4).  On  the  other  hand,  we  have  not  completely 
used  the  full  LLL-reduction  inequalities.  In  particular,  the  inequalities  on  the 
Hitj  can  be  weakened  to  /i27  <1/2  for  all  j  <  i  —  1  and  \Hi,i-i\  <  1/2.  This 
can  be  used  to  speed  up  the  reduction  algorithm  which  follows. 

As  has  already  been  mentioned,  what  makes  all  these  notions  and  theorems 
so  valuable  is  that  there  is  a  very  simple  and  efficient  algorithm  to  find  a 
reduced  basis  in  a  lattice.  We  now  describe  this  algorithm  in  its  simplest  form. 
The  idea  is  as  follows.  Assume  that  the  vectors  bi,  ...  ,bfc_i  are  already  LLL- 
reduced  (i.e.  form  an  LLL-reduced  basis  of  the  lattice  they  generate).  This 
will  be  initially  the  case  for  k  =  2.  The  vector  b*  first  needs  to  be  reduced 
so  that  \/jik,j\  <  1/2  for  all  j  <  k  (some  authors  call  this  size  reduction ).  This 
is  done  by  replacing  b*  by  b^  —  aj^j  f°r  some  a,j  €  Z  in  the  following 
way.  Assume  that  <  1/2  for  l  <  j  <  k  (initially  with  l  =  k).  Then,  if 
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q  =  is  the  nearest  integer  to  Hk,i,  and,  if  we  replace  b&  by  -  qbi , 

then  fik,j  is  not  modified  for  j  >  l  (since  b*  is  orthogonal  to  b /  for  l  <  j),  and 
fikii  is  replaced  by  fik,i  -  q  (since  bt  •  bjf  =  bf  ■  b*)  and  \fik,i  —  <?|  <  1/2  hence 
the  modified  (ik,j  satisfy  \(J>k,j\  <  1/2  for  l  —  1  <  j  <  k. 

Now  that  size  reduction  is  done  for  the  vector  bfc,  we  also  need  to  satisfy 
the  so-called  Lovasz  condition,  i.e.  Bk  >  (3/4  —  fi\  k_l)Bk-\.  If  this  condition 
is  satisfied,  we  increase  A;  by  1  and  start  on  the  next  vector  bk  (if  there  is 
one).  If  it  is  not  satisfied,  we  exchange  the  vectors  b^  and  bfc_i,  but  then  we 
must  decrease  A;  by  1  since  we  only  know  that  bi,  ...  ,bfc_2  is  LLL-reduced. 
A  priori  it  is  not  clear  that  this  succession  of  increments  and  decrements  of  k 
will  ever  terminate,  but  we  will  prove  that  this  is  indeed  the  case  (and  that 
the  number  of  steps  is  not  large)  after  giving  the  algorithm. 

We  could  compute  all  the  Gram-Schmidt  coefficients  nk)j  and  Bk  at  the 
beginning  of  the  algorithm,  and  then  update  them  during  the  algorithm.  After 
each  exchange  step  however,  the  coefficients  fj,i:k  and  fii,k- 1  for  i  >  k  must  be 
updated,  and  this  is  usually  a  waste  of  time  since  they  will  probably  change 
before  they  are  used.  Hence,  it  is  a  better  idea  to  compute  the  Gram-Schmidt 
coefficients  as  needed,  keeping  in  a  variable  kmax  the  maximal  value  of  k  that 
has  been  attained. 

Another  improvement  on  the  basic  idea  is  to  reduce  only  the  coefficient 
i  and  not  all  the  fik,i  for  l  <  k  during  size-reduction,  since  this  is  the 
only  coefficient  which  must  be  less  than  1/2  in  absolute  value  before  testing 
the  Lovasz  condition.  All  this  leads  to  the  following  algorithm. 

Algorithm  2.6.3  (LLL  Algorithm).  Given  a  basis  bi,  b2,  ...  ,  bn  of  a  lattice 
( L,q )  (either  by  coordinates  on  the  canonical  basis  of  Rm  for  some  m  >  n  or 
by  its  Gram  matrix),  this  algorithm  transforms  the  vectors  bj  so  that  when  the 
algorithm  terminates,  the  bi  form  an  LLL-reduced  basis.  In  addition,  the  algorithm 
outputs  a  matrix  H  giving  the  coordinates  of  the  LLL-reduced  basis  in  terms  of 
the  initial  basis.  As  usual  we  will  denote  by  Hi  the  columns  of  H. 

1.  [Initialize]  Set  A  <—  2,  fcmax  <—  1,  b|  4—  bi,  B\  <—  bi  •  bi  and  H  <—  In. 

2.  [Incremental  Gram-Schmidt]  If  k  <  /cmax  go  to  step  3.  Otherwise,  set  /cmax  «— 
k,bl  i—bk,  then  for  j  =  1, . . . ,  k  -  1  set  fj,kj  <—  bk  ■  bj /Bj  and  b£  «—  b£  - 
fj.k)jbj.  Finally,  set  Bk  <—  b£  •  b£  (see  Remark  (2)  below  for  the  corresponding 
step  if  only  the  Gram  matrix  of  the  bi  is  given).  If  Bk  =  0  output  an  error 
message  saying  that  the  bi  did  not  form  a  basis  and  terminate  the  algorithm. 

3.  [Test  LLL  condition]  Execute  Sub-algorithm  RED(fc,  k  —  1)  below.  If  Bk  < 

(0.75  —  execute  Sub-algorithm  SWAP(A;)  below,  set  k  <— 

max(2,  k  —  1)  and  go  to  step  3.  Otherwise,  for  l  =  k  —  2,  k  —  3, . . . ,  1  ex¬ 
ecute  Sub-algorithm  RED (k,l),  then  set  k  <-  k  +  1. 

4.  [Finished?]  If  k  <  n,  then  go  to  step  2.  Otherwise,  output  the  LLL  reduced 
basis  bi,  the  transformation  matrix  H  e  GLn(Z)  and  terminate  the  algorithm. 

Sub-algorithm  RED(A;,/).  If  \(j,kj\  <  0.5  terminate  the  sub-algorithm.  Oth¬ 
erwise,  let  q  be  the  integer  nearest  to  iikj,  i.e. 
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Q  [Vk,l]  =  [0.5  +  fJ>k,l\- 

Set  bfc  <—  bfc  —  qbi,  Hk  <-  Hk  -  qHit  ^fc)/  *-  /xfc|I  -  q,  for  all  i  such  that 
1  <  «  <  i  —  1,  set  fikti  <—  —  qnij  and  terminate  the  sub-algorithm. 

Sub-algorithm  SWAP(fc).  Exchange  the  vectors  bk  and  bk-i,  Hk  and  Hk- 1, 
and  if  k  >  2,  for  all  j  such  that  1  <  j <  k  —  2  exchange  fikj  with  fik~i tj.  Then 
set  (in  this  order)  ii  <-  \xkyk-1%  B  *—  Bk  +  fi2Bk-lt  nk,k-i  (J,Bk-i/B, 
b  -  b*fc_1(  bj^  «-  b*fc  +  A*bf  b]^  4-  -dk^bl  +  {Bk/B)b,  Bk  <-  B^Bk/B 
and  Bk-i  <—  B.  Finally,  for  i  =  k  + 1,  fc  +  2, . . . ,  kmax  set  (in  this  order)  t  *—  fiiik, 
Vi,k  *-  ~  A*t,  A*i,fc-i  <-  t  +  f^k,k-i^i,k  and  terminate  the  sub-algorithm. 

Proof.  It  is  easy  to  show  that  at  the  beginning  of  step  4,  the  LLL  conditions 
of  Definition  2.6.1  are  valid  for  i  <  k  —  1.  Hence,  if  k  >  n,  we  have  indeed 
obtained  an  LLL-reduced  family,  and  since  it  is  clear  that  the  operations  which 
are  performed  on  the  b*  are  of  determinant  ±1,  this  family  is  a  basis  of  L, 
hence  the  output  of  the  algorithm  is  correct.  What  we  must  show  is  that  the 
algorithm  does  in  fact  terminate. 

If  we  set  for  0  <  i  <  n 

det((br  •  bs)i<rj5<j), 


we  easily  check  that 

n  b>< 

1  <j<i 

where  as  usual  Bi  =  |b*|2,  and  in  particular  di  >  0,  and  it  is  clear  from  this 
that  do  =  1  and  dn  =  d(L)2.  Set 

d=  n  d <• 

l<i<n— 1 

This  can  change  only  if  some  Bi  changes,  and  this  can  occur  only  in  Sub¬ 
algorithm  SWAP.  In  that  sub-algorithm  the  di  are  unchanged  for  i  <  k  —  1 
and  for  i  >  k,  and  by  the  condition  of  step  3,  dk- 1  is  multiplied  by  a  factor  at 
most  equal  to  3/4.  Hence  D  is  also  reduced  by  a  factor  at  most  equal  to  3/4. 
Let  Li  be  the  lattice  of  dimension  i  generated  by  the  b j  for  j  <  i,  and  let  s*  be 
the  smallest  non-zero  value  of  the  quadratic  form  q  in  Li.  Using  Proposition 
6.4.1  which  we  will  give  in  Chapter  6,  we  obtain 

di  >  sfrr  > 

and  since  sn  is  the  smallest  non-zero  value  of  q(x)  on  L,  this  last  expression 
depends  only  on  i  but  not  on  the  bj.  It  follows  that  di  is  bounded  from 
below  by  a  positive  constant  depending  only  on  i  and  L.  Hence  D  is  bounded 
from  below  by  a  positive  constant  depending  only  on  L,  and  this  shows  that 
the  number  of  times  that  Sub-algorithm  SWAP  is  executed  must  be  finite. 
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Since  this  is  the  only  place  where  k  can  decrease  (after  execution  of  the  sub¬ 
algorithm)  the  algorithm  must  terminate,  and  this  finishes  the  proof  of  its 
validity.  □ 

A  more  careful  analysis  shows  that  the  running  time  of  the  LLL  algorithm 
is  at  most  0(n6  In3 B),  if  |bj|2  <  B  for  all  i.  In  practice  however,  this  upper 
bound  is  quite  pessimistic. 

Remarks. 

(1)  If  the  matrix  transformation  H  is  not  desired,  one  can  suppress  from  the 
algorithm  all  the  statements  concerning  it,  since  it  does  not  play  any  real 
role. 

(2)  On  the  other  hand  if  the  b*  are  given  only  by  their  Gram  matrix,  the  b* 
and  b*  exist  only  abstractly.  Hence,  the  only  output  of  the  algorithm  is 
the  matrix  H ,  and  the  updating  of  the  vectors  bj  done  in  Sub-algorithms 
RED  and  SWAP  must  be  done  directly  on  the  Gram  matrix. 

In  particular,  step  2  must  then  be  replaced  as  follows  (see  Exercise 

21). 

2.  [Incremental  Gram-Schmidt]  If  k  <  /cmax  go  to  step  3.  Otherwise,  set 
ft'max  *  k  then  for  j  =  1, . . . ,  k  - 1  set  ak,j  <-  bfc  •  bj-  -  ]Ci=i  and 

<-  a k,j/Bj ,  then  set  Bk  <-  bfc  bfc  -  Y!lZl  Hk,i<ik,i-  If  Bk  =  0  output 
an  error  message  saying  that  the  b*  did  not  form  a  basis  and  terminate 
the  algorithm. 

The  auxiliary  array  akj  is  used  to  minimize  the  number  of  operations, 
otherwise  we  could  of  course  write  the  formulas  directly  with  fj,ktj . 

Asymptotically,  this  requires  n3/ 6  multiplications/divisions,  and  this 
is  much  faster  than  the  n2mf 2  required  by  Gram-Schmidt  when  only  the 
coordinates  of  the  bj  are  known.  Since  the  computation  of  the  Gram  ma¬ 
trix  from  the  coordinates  of  the  b*  also  requires  asymptotically  n2m/ 2 
multiplications,  one  should  use  directly  the  formulas  of  Algorithm  2.6.3 
when  the  Gram  matrix  is  not  given. 

(3)  The  constant  0.75  in  step  3  of  the  algorithm  can  be  replaced  by  any  con¬ 
stant  c  such  that  l/4<c<  1.  Of  course,  this  changes  the  estimates  given 
by  Theorem  2.6.2.  (In  the  results  and  proof  of  the  theorem,  replace  2  by 
a  =  l/(c  —  1/4),  and  use  the  weaker  inequality  n\l  <  (a:  —  l)/a).)  The 
speed  of  the  algorithm  and  the  “quality”  of  the  final  basis  which  one  ob¬ 
tains,  are  relatively  insensitive  to  the  value  of  the  constant.  In  practice, 
one  should  perhaps  use  c  =  0.99.  The  ideal  value  would  be  c  =  1,  but  in 
this  case  one  does  not  know  whether  the  LLL  algorithm  runs  in  polynomial 
time,  although  in  practice  this  seems  to  be  the  case. 

(4)  Another  possibility,  suggested  by  LaMacchia  in  [LaM]  is  to  vary  the  con¬ 
stant  c  in  the  course  of  the  algorithm,  starting  the  reduction  with  a  con¬ 
stant  c  slightly  larger  than  1/4  (so  that  the  reduction  is  as  fast  as  possible), 
and  increasing  it  so  as  to  reach  c  =  0.99  at  the  end  of  the  reduction,  so 


90 


2  Algorithms  for  Linear  Algebra  and  Lattices 


that  the  quality  of  the  reduced  basis  is  a  good  as  possible.  We  refer  to 
[LaM]  for  details. 

(5)  We  can  also  replace  the  LLL  condition  Bk  >  (3/4  —  k_1)Bk-i  by  the 
so-called  Siegel  condition  Bk  >  Bk-i/2.  Indeed,  since  \nk,k-i\  <  1/2,  the 
LLL  condition  with  the  constant  c  =  3/4  implies  the  Siegel  condition,  and 
conversely  the  Siegel  condition  implies  the  LLL  condition  for  the  constant 
c  =  1/2.  In  that  case  the  preliminary  reduction  RED (k,k  —  1)  should  be 
performed  after  the  test,  together  with  the  other  RED(fc,  l). 

(6)  If  the  Gram  matrix  does  not  necessarily  have  rational  coefficients,  the  fiij 
and  Bi  must  be  represented  approximately  using  floating  point  arithmetic. 
Even  if  the  Gram  matrix  is  rational  or  even  integral,  it  is  often  worthwhile 
to  work  using  floating  point  arithmetic.  The  main  problem  with  this  ap¬ 
proach  is  that  roundoff  errors  may  prevent  the  final  basis  from  being  LLL 
reduced.  In  many  cases,  this  is  not  really  important  since  the  basis  is  not 
far  from  being  LLL  reduced.  It  may  happen  however  that  the  roundoff 
errors  cause  catastrophic  divergence  from  the  LLL  algorithm,  and  conse¬ 
quently  give  a  basis  which  is  very  far  from  being  reduced  in  any  sense. 
Hence  we  must  be  careful.  Let  r  be  the  number  of  relative  precision  bits. 

First,  during  step  2  it  is  possible  to  replace  the  computation  of  the 
products  hi  •  bj  by  floating  point  approximations  (of  course  only  in  the 
case  where  the  b*  are  given  by  coordinates,  otherwise  there  is  nothing  to 
compute).  This  should  not  be  done  if  b*  and  b^  are  nearly  orthogonal, 
i.e.  if  bi  •  bj/|bi||bj|  is  smaller  than  2~r I2  say.  In  that  case,  b*  •  bj  should 
be  computed  as  exactly  as  possible  using  the  given  data. 

Second,  at  the  beginning  of  Sub-algorithm  RED,  the  nearest  integer 
q  to  Hk,i  is  computed.  If  q  is  too  large,  say  q  >  2 r/2,  then  fik,i  ~  Q  will 
have  a  small  relative  precision  and  the  values  of  the  fik,i  will  soon  become 
incorrect.  In  that  case,  we  should  recompute  the  -Bfc-i  and 

Bk  directly  from  the  Gram-Schmidt  formulas,  set  k  <—  ma x(/c  —  1,2)  and 
start  again  at  step  3. 

These  modifications  (and  many  more)  are  explained  in  a  rigorous  the¬ 
oretical  setting  in  [Schn],  and  for  practical  uses  in  [Schn-Euch]  to  which 
we  refer. 

(7)  The  algorithm  assumes  that  the  bj  are  linearly  independent.  If  they  are 
not,  we  will  get  an  error  message  in  the  Gram-Schmidt  stage  of  the  al¬ 
gorithm.  It  is  possible  to  modify  the  algorithm  so  that  it  will  not  only 
work  in  this  case,  but  in  fact  output  a  true  basis  and  a  set  of  linearly 
independent  relations  for  the  initial  set  of  vectors  (see  Algorithm  2.6.8). 


2.6.2  The  LLL  Algorithm  with  Deep  Insertions 

A  modification  of  the  LLL  algorithm  due  to  Schnorr  and  Euchner  ([Schn- 
Euc])  is  the  following.  It  may  be  argued  that  the  Lovasz  condition  Bk  > 
(0.75  —  ii\  k-i)Bk- 1  (in  addition  to  the  requirement  Hk,j  <  1/2)  should  be 
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strengthened,  taking  into  account  the  earlier  Bj.  If  this  is  done  rashly  how¬ 
ever,  it  leads  to  a  non-polynomial  time  algorithm,  both  in  theory  and  in  prac¬ 
tice.  This  is,  of  course,  one  of  the  reasons  for  the  choice  of  a  weaker  con¬ 
dition.  Schnorr  and  Euchner  (loc.  cit.)  have  observed  however  that  one  can 
strengthen  the  above  condition  without  losing  much  on  the  practical  speed  of 
the  algorithm,  although  in  the  worst  case  the  resulting  algorithm  is  no  longer 
polynomial  time.  They  report  that  in  many  cases,  this  leads  to  considerably 
shorter  lattice  vectors  than  the  basic  LLL  algorithm. 

The  idea  is  as  follows.  If  bfc  is  inserted  between  bj_i  and  bt  for  some 
i  <  k,  then  (Exercise  22)  the  new  Bi  will  become 

bfc  ■  bfc  —  y  [AfcjBj  =  Bk  4-  fikjBj . 

i<j<k 


If  this  is  significantly  smaller  than  the  old  Bi  (say  at  most  |  Bi  as  in  our  initial 
version  of  LLL),  then  it  is  reasonable  to  do  this  insertion.  Note  that  the  case 
i  =  k  —  1  of  this  test  is  exactly  the  original  LLL  condition.  For  these  tests 
to  make  sense,  Algorithm  RED  (A:,  l)  must  be  executed  before  the  test  for  all 
l  <  k  and  not  only  for  l  =  k  —  1  as  in  Algorithm  2.6.3. 

Inserting  bfc  just  after  bj_i  for  some  i  <  k  will  be  called  a  deep  insertion. 
After  such  an  insertion,  k  must  be  set  back  to  max(*  —  1,2),  and  the  (ijj 
and  Bj  must  be  updated.  When  i  <  k  —  1  however,  the  formulas  become 
complicated  and  it  is  probably  best  to  recompute  the  new  Gram-Schmidt 
coefficients  instead  of  updating  them.  One  consequence  of  this  is  that  we  do 
not  need  to  keep  track  of  the  largest  value  kmax  that  k  has  attained. 

This  leads  to  the  following  algorithm,  due  in  essence  to  Schnorr  and  Eu¬ 
chner  ([Schn-Euc]). 

Algorithm  2.6.4  (LLL  Algorithm  with  Deep  Insertions).  Given  a  basis  bi, 

b2 . bn  of  a  lattice  (L,  q )  (either  by  coordinates  in  the  canonical  basis  of  Rm 

for  some  m  >  n  or  by  its  Gram  matrix),  this  algorithm  transforms  the  vectors 
bj  so  that  when  the  algorithm  terminates,  the  bi  form  an  LLL-reduced  basis.  In 
addition,  the  algorithm  outputs  a  matrix  H  giving  the  coordinates  of  the  LLL- 
reduced  basis  in  terms  of  the  initial  basis.  As  usual  we  will  denote  by  Hi  the 
columns  H. 

1.  [Initialize]  Set  k  1  and  H  <—  In. 

2.  [Incremental  Gram-Schmidt]  Set  b£  <—  bfc,  then  for  j  =  l,...,fc  —  1  set 
fJ’kj  <—  bfc  •  bj/Bj  and  b£  <—  b *—  fik  j bj.  Then  set  Bk  <—  bj£  •  b£.  If  Bk  =  0 
output  an  error  message  saying  that  the  bi  did  not  form  a  basis  and  terminate 
the  algorithm.  Finally,  if  k  =  1,  set  k  <-  2  and  go  to  step  5. 

3.  [Initialize  test]  For  l  =  k  -  1,  k  -  2, . . . ,  1  execute  Sub-algorithm  RED (k,l) 
above.  Set  B  +—hk  hk  and  i  *—  1. 

4.  [Deep  LLL  test]  If  i  =  k,  set  k  <—  k  +  1  and  go  to  step  5.  Otherwise,  do 
as  follows.  If  \Bi  <  B  set  B  *—  B  —  pk>iBi,  i  i  +  1  and  go  to  step  4. 
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Otherwise,  execute  Algorithm  INSERT(fc,i)  below.  If  i  >  2  set  k  <—  i  —  1, 
B  <r-  bfc  •  bfc,  i  <—  1  and  go  to  step  4.  If  i  =  1,  set  k  <—  1  and  go  to  step  2. 

5.  [Finished?]  If  k  <  n,  then  go  to  step  2.  Otherwise,  output  the  LLL  reduced 
basis  bj,  the  transformation  matrix  H  G  GLn(Z)  and  terminate  the  algorithm. 

Sub-algorithm  INSERT(fc,  i).  Set  b  <—  bfc,  V  <—  Hk,  for  j  =  k,  k  —  1, . . .  ,i  + 
1  set  b j  <—  bj_i  and  Hj  *—  Hj- 1,  and  finally  set  b*  b  and  Hi  V.  Terminate 
the  sub-algorithm. 


2.6.3  The  Integral  LLL  Algorithm 

If  the  Gram  matrix  of  the  b*  has  integral  coefficients,  the  fiij  and  the  Bk  will 
be  rational  and  it  may  be  tempting  to  do  all  the  computation  with  rational 
numbers.  Unfortunately,  the  repeated  GCD  computations  necessary  for  per¬ 
forming  rational  arithmetic  during  the  algorithm  slows  it  down  considerably. 
There  are  essentially  two  ways  to  overcome  this  problem.  The  first  is  to  do 
only  approximate  computations  of  the  /l tij  and  the  Bi  as  mentioned  above. 

The  second  is  as  follows.  In  the  proof  of  Algorithm  2.6.3  we  have  introduced 
quantities  di  which  are  clearly  integral  in  our  case,  since  they  are  equal  to  sub¬ 
determinants  of  our  Gram  matrix.  We  have  the  following  integrality  results. 

Proposition  2.6.5.  Assume  that  the  Gram  matrix  (bj  •  b,)  is  integral,  and 
set 

di  =  det((br  •  bs ) i<rs< j)  =  1 1  Bj. 

1  <j<i 

Then  for  all  i  and  for  all  j  <  i 

(1) 

di-iBi  €  Z  and  djfiij  G  Z. 

(2)  for  all  m  such  that  j  <  m  <i 


Proof.  We  have  seen  above  that  di  =  Hi<fc<i  Rfc  hence  di-\Bi  =  di  G  Z.  For 
the  second  statement  of  (1),  let  j  <  i  and  consider  the  vector 

v  =  —  XZ  ==  k*  +  • 

!<*<.?  j<k<i 

From  the  second  expression  it  is  clear  that  b£  •  v  =  0  for  all  k  such  that 
1  <  k  <  j,  or  equivalently  since  the  R-span  of  the  b£  (1  <  k  <  j)  is  equal  to 
the  R-span  of  the  b^, 
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bfc  •  v  =  0  for  1  <  k  <  j . 

For  the  same  reason,  we  can  write 

v  =  hi—  ^  tffcbfc 
i  <fe<j 

for  some  Xk  E  K.  Then  the  above  equations  can  be  written  in  matrix  form 
/bi-bi  ...  bi-b j\  /xi\  /bi-bi 


\bj-b. 


hj  ■  hj 


.  bj  •  bj 


In  particular,  since  the  determinant  of  the  matrix  is  equal  by  definition  to 
dj ,  by  inverting  the  matrix  we  see  that  the  Xk  are  of  the  form  mk/dj  for 
some  raj-  €  Z  (since  the  Gram  matrix  is  integral).  Furthermore,  the  equality 
Ei <k<jxkbk  =  Si<fc<j  A»t,fcbfc  shows  by  projection  on  bj  that  Xj  =  Pij, 
thus  proving  (1). 

For  (2)  we  note  that  by  what  we  have  proved,  djV  is  an  integral  linear 
combination  of  the  b/t  (in  other  words  it  belongs  to  the  lattice),  hence  in 
particular  djV  •  bm  €  Z  for  all  m  such  that  1  <  m  <  n.  Since  v  =  b*  — 

Ei <k<j  /^,fcbfc>  we  obtain  (2)-  □ 

Corollary  2.6.6.  With  the  same  hypotheses  and  notations  as  the  proposition, 
set  X ij  =  djfiij  for  j  <  i  (so  X ij  €  7>)  and  X ^  =  di.  Then  for  j  <i  fixed,  if 
we  define  the  sequence  Uk  by  uq  =  b*  •  b^  and  for  1  <  k  <  j 


Uk  = 


dkUk- 1  — 
dk-i 


then  Uk  E  Z  and  Uj- \  =  X ij. 

Proof.  It  is  easy  to  check  by  induction  on  k  that 

t*fc  =  dfcl  b» -bj- -  ^2  )  =4[b»-bj--  ^2 

V  l<l<k  If  V  l<l<k 

and  the  proposition  shows  that  this  last  expression  is  integral.  We  also  have 
Uj- 1  =  Bjdj-iPij  =  djPij  —  X ij  thus  proving  the  corollary.  □ 

Using  these  results,  it  is  easy  to  modify  Algorithm  2.6.3  so  as  to  work 
entirely  with  integers.  This  leads  to  the  following  algorithm,  where  it  is  as¬ 
sumed  that  the  basis  is  given  by  its  Gram-Schmidt  matrix.  (Hence,  if  the  basis 
is  given  in  terms  of  coordinates,  compute  first  the  Gram-Schmidt  matrix  be¬ 
fore  applying  the  algorithm,  or  modify  appropriately  the  formulas  of  step  1.) 
Essentially  the  same  algorithm  is  given  in  [de  Weg]. 
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Algorithm  2.6.7  (Integral  LLL  Algorithm).  Given  a  basis  bi,  t>2,  . . . ,  bn  of 
a  lattice  ( L,q )  by  its  Gram  matrix  which  is  assumed  to  have  integral  coefficients, 
this  algorithm  transforms  the  vectors  bj  so  that  when  the  algorithm  terminates, 
the  bj  form  an  LLL-reduced  basis.  The  algorithm  outputs  a  matrix  H  giving  the 
coordinates  of  the  LLL-reduced  basis  in  terms  of  the  initial  basis.  We  will  denote 
by  Hi  the  column  vectors  of  H.  All  computations  are  done  using  integers  only. 

1.  [Initialize]  Set  k  <—  2,  km&x  <—  1,  do  <—  1,  d\  <—  bi  •  bi  and  H  <— 

2.  [Incremental  Gram-Schmidt]  If  k  <  fcmax  go  to  step  3.  Otherwise,  set  /cmax  <—  k 

and  for  j  =  1, . . .,  k  (in  that  order)  do  as  follows:  set  u  <—  bfc  •  b j  and  for 
i  =  —  1  set 

u^djU- 

di—i 

(the  result  is  in  Z),  then  if  j  <  k  set  Xkj  <— u  and  if  j  =  k  set  d k  <—  u. 
If  dk  =0,  the  bi  did  not  form  a  basis,  hence  output  an  error  message  and 
terminate  the  algorithm  (but  see  also  Algorithm  2.6.8). 

3.  [Test  LLL  condition]  Execute  Sub-algorithm  REDI(/c,  k— 1)  below.  \f  dkdk-2  < 

execute  algorithm  SWAPI(fc)  below,  set  k  <—  max(2,fc  —  1) 
and  go  to  step  3.  Otherwise,  for  l  =  k  —  2,  k  —  3, . . . ,  1  execute  Sub-algorithm 
REDI(fc,  l),  then  set  k  <—  k  +  1. 

4.  [Finished?]  If  k  <  n  go  to  step  2.  Otherwise,  output  the  transformation  matrix 
H  €  GLn(Z)  and  terminate  the  algorithm. 

Sub-algorithm  REDI(fc,/).  If  |2Afc,£ ]  <  di  terminate  the  sub-algorithm.  Oth¬ 
erwise,  let  q  be  the  integer  nearest  to  A k,i/di,  i.e.  the  quotient  of  the  Euclidean 
division  of  2A k,i+di  by  2 dt.  Set  Hk  <-  Hk-qHi,  bfc  <-  bk-qbi,  A k,i  <-  A k,l~qdi, 
for  all  i  such  that  1  <  i  <  l  —  1  set  Aj ^  <—  A k,i  —  qXi ^  and  terminate  the  sub¬ 
algorithm. 

Sub-algorithm  SWAPI(fc).  Exchange  the  vectors  Hk  and  Hk- 1,  exchange 
bfc  and  bfc_i,  and  if  k  >  2,  for  all  j  such  that  1  <j<k  —  2  exchange  A k,j 
with  Afc-ij.  Then  set  A  *-  \kyk-i ,  B  <-  {dk-2dk  +X2)/dk-i,  then  for  i  = 
k  +  1 ,  k  +  2  ,  .  .  .  fcmax  set  (in  this  order)  t  <-  Aiifc,  Ai)fc  <-  {dkXi,k-i  ~  Xt)/dk-i 
and  A^fc-i  <—  ( Bt  +  AA itk)/dk-  Finally,  set  dk- 1  *—  B  and  terminate  the  sub¬ 
algorithm. 

It  is  an  easy  exercise  (Exercise  24)  to  check  that  these  formulas  correspond 
exactly  to  the  formulas  of  Algorithm  2.6.3. 

Remark.  In  step  3,  the  fundamental  LLL  comparison  dkdk-2  <  f^fc-i  — 
Afc,fc_i  involves  the  non-integral  number  |  (it  could  also  be  0.99).  This  is  not 
really  a  problem  since  this  comparison  can  be  done  any  way  one  likes  (by 
multiplying  by  4,  or  using  floating  point  arithmetic),  since  a  roundoff  error  at 
that  point  is  totally  unimportant. 
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2.6.4  LLL  Algorithms  for  Linearly  Dependent  Vectors 

As  has  been  said  above,  the  LLL  algorithm  cannot  be  applied  directly  to  a 
system  of  linearly  dependent  vectors  b*.  It  can  however  be  modified  so  as  to 
work  in  this  case,  and  to  output  a  basis  and  a  system  of  relations.  The  problem 
is  that  in  the  Gram-Schmidt  orthogonalization  procedure  we  will  have  at  some 
point  Bi  =  b*  •  b|  =  0.  This  means  of  course  that  bi  is  equal  to  a  linear 
combination  of  the  b j  for  j  <  i.  Since  Gram-Schmidt  performs  projections 
of  the  successive  vectors  on  the  subspace  generated  by  the  preceding  ones, 
this  means  that  we  can  forget  the  index  i  in  the  rest  of  the  orthogonalization 
(although  not  the  vector  bj  itself) .  This  leads  to  the  following  algorithm  which 
is  very  close  to  Algorithm  2.6.3  and  whose  proof  is  left  to  the  reader. 

Algorithm  2.6.8  (LLL  Algorithm  on  Not  Necessarily  Independent  Vectors). 
Given  n  non-zero  vectors  bi,  b2l  . . .  ,  bn  generating  a  lattice  (L,  q)  (either  by 
coordinates  or  by  their  Gram  matrix),  this  algorithm  transforms  the  vectors  bj 
and  computes  the  rank  p  of  the  lattice  L  so  that  when  the  algorithm  terminates 
bi  =  0  for  1  <  i  <  n  —  p  and  the  bi  for  n  —  p  <  i  <  n  form  an  LLL-reduced 
basis  of  L.  In  addition,  the  algorithm  outputs  a  matrix  H  giving  the  coordinates 
of  the  new  bi  in  terms  of  the  initial  ones.  In  particular,  the  first  n  —  p  columns 
Hi  of  H  will  be  a  basis  of  relation  vectors  for  the  bi,  i.e.  of  vectors  r  such  that 

=  O’ 

1.  [Initialize]  Set  k  <—  2,  kmax  <—  1,  bj  <—  blt  B\  <—  bi  •  bi  and  H  <—  In. 

2.  [Incremental  Gram-Schmidt]  If  k  <  fcmax  go  to  step  3.  Otherwise,  set  fcmax  k 
and  for  j  =  1, . . . ,  k  —  1  set  pk,j  *—  b*,  •  h*j/Bj  if  Bj  ^  0  and  pk,j  -« —  0  if 

Bj  =  0,  then  set  b£  <—  b*,—  and  Bk  <—  b£b£  (use  the  formulas 

given  in  Remark  (2)  above  if  the  bi  are  given  by  their  Gram  matrix). 

3.  [Test  LLL  condition]  Execute  Sub-algorithm  RED(fc,  k  —  1)  above.  If  Bk  < 
(0.75  —  ii\k_})Bk- 1,  execute  Sub-algorithm  SWAPG(/c)  below,  set  k  <— 
max(2,  k  —  1)  and  go  to  step  3.  Otherwise,  for  /  =  k  —  2,  k  —  3, . . . ,  1  ex¬ 
ecute  Sub-algorithm  RED(fc,  l),  then  set  k  <—  k  +  1. 

4.  [Finished?]  If  k  <  n  go  to  step  2.  Otherwise,  let  r  be  the  number  of  initial 
vectors  bi  which  are  equal  to  zero,  output  p  <—  n  —  r,  the  vectors  bi  for 
r  +  1  <  i  <  n  (which  form  an  LLL-reduced  basis  of  L),  the  transformation 
matrix  H  €  GLn(Z)  and  terminate  the  algorithm. 

Sub-algorithm  SWAPG(fc).  Exchange  the  vectors  b^  and  bfc_i,  Hk  and 
Hk-i,  and  if  k  >  2,  for  all  j  such  that  1  <  3  <k  —  2  exchange  fik,j  with 
Mfc-i ,j.  Then  set  p  <—  pk,k- 1  and  B  <—  Bk  +  p2Bk-i .  Now,  in  the  case  B  =  0 
(i.e.  Bk  =  p  =  0),  exchange  Bk  and  Bk-i,  exchange  b£  and  b and  for 
i  =  k  +  1,  k  +  2, . . .  fcmax  exchange  pi<k  and  pifk- 1- 

In  the  case  Bk  =  0  and  p  /  0,  set  Bk-i  «-  B,  b^_x  «-  ph%_v  pk,k- 1  1  /l* 

and  for  i  fcTl,fc-F2, ..., Aimax  set  Pitk—i  *  p%,k—\/ 

Finally,  in  the  case  Bk  ^  0,  set  (in  this  order)  t  <—  Bk-i/B,  Pk,k- 1  *— 
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b  -  b£_lt  bU  4-  b*k  +  Jib,  b£  4-  -AiM_ibJ  +  (Bfc/B)b,  £fc  -  Bkt, 
Bk- 1  4—  5,  then  for  i  =  k  +  l,k  4-  2, . . .  ,  fcmax  set  (in  this  order)  t  <—  pitk, 
l*i,k  *-  IM,k- 1  -  l*t,  !H,k- 1  <-  t  +  Hk,k-ilH,k-  Terminate  the  sub-algorithm. 

Note  that  in  this  sub-algorithm,  in  the  case  B  =  0,  we  have  Bk  =  0  and 
hence  n^k  =  0  for  i  >  k,  so  the  exchanges  are  equivalent  to  setting  Bk  <—  Bk- 1, 
Bk- i  <-  0  and  for  i  >  k  +  1,  /i*,*  <-  A*i,fc-i  and  p^k- i  <-  0. 

An  important  point  must  be  made  concerning  this  algorithm.  Since  several 
steps  of  the  algorithm  test  whether  some  quantity  is  equal  to  zero  or  not,  it  can 
be  applied  only  to  vectors  with  exact  (i.e.  rational)  entries.  Indeed,  for  vectors 
with  non-exact  entries,  the  notion  of  relation  vector  is  itself  not  completely 
precise  since  some  degree  of  approximation  must  be  given  in  advance.  Thus 
the  reader  is  advised  to  use  caution  when  using  LLL  algorithms  for  linearly 
dependent  vectors  when  they  are  non-exact.  (For  instance,  we  could  replace  a 
test  Bk  =  0  by  Bk  <  e  for  a  suitable  e.) 

We  must  prove  that  this  algorithm  is  valid.  To  show  that  it  terminates,  we 
use  a  similar  quantity  to  the  one  used  in  the  proof  of  the  validity  of  Algorithm 
2.6.3.  We  set 

<4  =  I]  Bi  and  D=  II  2‘ 

i<k,Bi^0  k<n,Bk^  0  A:<n,jBfc=  0 

This  quantity  is  modified  only  in  Sub-algorithm  SWAPG(fc).  If  B  =  Bk  4- 
H2Bk- 1  7^  0,  then  dk-i  is  multiplied  by  a  factor  which  is  smaller  than  3/4 
and  the  others  are  unchanged,  hence  D  decreases  by  a  factor  at  least  3/4  as 
in  the  usual  LLL  algorithm.  If  B  =  0,  then  Bk- 1  becomes  0  and  Bk  becomes 
equal  to  Bk- 1,  hence  <4_i  becomes  equal  to  dk- 2,  dk  stays  the  same  (since 
Bk-idk-2  —  dk- 1  =  dk  when  Bk  =  0)  as  well  as  the  others,  so  D  is  multiplied 
by  2k~1/2k  =  1/2  hence  decreases  multiplicatively  again,  thus  showing  that 
the  algorithm  terminates  since  D  is  bounded  from  below. 

When  the  algorithm  terminates,  we  have  for  all  i,  j  and  k  the  conditions 
Bk  >  (3/4  —  (J>k,k-i)Bk-i  and  \mtj\  <  1/2.  If  p  is  the  rank  of  the  lattice  L, 
it  follows  that  n  —  p  of  the  Bi  must  be  equal  to  zero,  and  these  inequalities 
show  that  it  must  be  the  first  n—pBi,  since  Bi  =  0  implies  Bj  —  0  for  j  <  i. 
Since  the  vector  space  generated  by  the  b*  for  i  <  n  —  p  is  the  same  as  the 
space  generated  by  the  bj  for  i  <  n  —  p,  it  follows  that  =  0  for  i  <  n  —  p. 
Since  the  bj  form  a  generating  set  for  L  over  Z  throughout  the  algorithm, 
the  bj  for  i  >  n  —  p  also  generate  L,  hence  they  form  a  basis  since  there 
are  exactly  p  of  them,  and  this  basis  is  LLL  reduced  by  construction.  It  also 
follows  from  the  vanishing  of  the  bj  for  i  <  n  —  p  that  the  first  n  —  p  columns 
Hi  of  H  are  relation  vectors  for  our  initial  bj.  Since  H  is  an  integer  matrix 
with  determinant  ±1,  it  is  an  easy  exercise  to  see  that  these  columns  form  a 
basis  of  the  space  of  relation  vectors  for  the  initial  bj  (Exercise  25).  □ 

This  algorithm  is  essentially  due  to  M.  Pohst  and  called  by  him  the  MLLL 
algorithm  (for  Modified  LLL,  see  [Poh2]). 
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We  leave  as  an  excellent  exercise  for  the  reader  to  write  an  all-integer 
version  of  Algorithm  2.6.8  when  the  Gram  matrix  is  integral  (see  Exercise 
26). 

Summary.  We  have  seen  a  number  of  modifications  and  variations  on  the 
basic  LLL  Algorithm  2.6.3.  Most  of  these  can  be  combined.  We  summarize 
them  here. 

(1)  The  Gram-Schmidt  formulas  of  step  2  can  be  modified  to  use  only  the 
Gram  matrix  of  the  bj  (see  Remark  (2)  after  Algorithm  2.6.3). 

(2)  If  the  Gram-Schmidt  matrix  is  integral,  the  computation  can  be  done 
entirely  with  integers  (see  Algorithm  2.6.7). 

(3)  If  floating  point  computations  are  used,  care  must  be  taken  during  the 
computation  of  the  b*  •  b j  and  when  the  nearest  integer  to  a  pk,i  is  com¬ 
puted  (see  Remark  (4)  after  Algorithm  2.6.3). 

(4)  If  we  want  better  quality  vectors  than  those  output  by  the  LLL  algorithm, 
we  can  use  deep  insertion  to  improve  the  output  (see  Algorithm  2.6.4). 

(5)  If  the  vectors  b*  are  not  linearly  independent,  we  must  use  Algorithm 
2.6.8,  combined  if  desired  with  any  of  the  preceding  variations. 


2.7  Applications  of  the  LLL  Algorithm 

2.7.1  Computing  the  Integer  Kernel  and  Image  of  a  Matrix 

In  Section  2.4.3  we  have  seen  how  to  apply  the  Hermite  normal  form  algorithms 
to  the  computation  of  the  image  and  kernel  of  an  integer  matrix  A.  It  is  clear 
that  this  can  also  be  done  using  the  MLLL  algorithm  (in  fact  its  integer 
version,  see  Exercise  26).  Indeed  if  we  set  b7  to  be  the  columns  of  A,  the 
vectors  bj  output  by  Algorithm  2.6.8  form  an  LLL-reduced  basis  of  the  image 
of  A  and  the  relation  vectors  Hi  for  i  <  r  =  n  —  p  form  a  basis  of  the  integer 
kernel  of  A.  If  desired,  the  result  given  by  Algorithm  2.6.8  can  be  improved 
in  two  ways.  First,  the  relation  vectors  Hi  for  i  <  r  are  not  LLL-reduced,  so 
it  is  useful  to  LLL-reduce  them  to  obtain  small  relations.  This  means  that  we 
will  multiply  the  first  r  column  of  H  on  the  right  by  an  r  x  r  invertible  matrix 
over  Z,  and  this  of  course  leaves  H  unimodular. 

Second,  although  the  basis  bj  for  r  <  i  <  n  is  already  an  LLL-reduced 
basis  for  the  image  of  A  hence  cannot  be  improved  much,  the  last  p  columns  of 
H  (which  express  the  LLL-reduced  bj  in  terms  of  the  initial  b*)  can  be  large 
and  in  many  situations  it  is  desirable  to  reduce  their  size.  Here  we  must  not 
LLL-reduce  these  columns  since  the  corresponding  image  vectors  b*  would  not 
be  anymore  LLL-reduced  in  general.  (This  is  of  course  a  special  case  of  the 
important  but  difficult  problem  of  simultaneously  reducing  a  lattice  basis  and 
its  dual,  see  [Sey2].)  We  still  have  some  freedom  however  since  we  can  replace 
any  column  Hi  for  i  >  r  by 
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for  any  rrij  (E  Z  since  this  will  not  change  the  bj  and  will  preserve  the  relation 
det(H)  —  ±1.  To  choose  the  rrij  close  to  optimally  we  proceed  as  follows.  Let 
C  be  the  Gram  matrix  of  the  vectors  Hj  for  j  <  r.  Using  Algorithm  2.2.1 
compute  X  =  (xi, . . .  ,xrY  solution  to  the  linear  system  CX  =  Vi,  where  Vi 
is  the  column  vector  whose  j-th  element  is  equal  to  Hi  •  Hj  (here  the  scalar 
product  is  the  usual  one) .  Then  by  elementary  geometric  arguments  it  is  clear 
that  the  vector  Y^j<rxjHj  is  the  projection  of  Hi  on  the  real  vector  space 
generated  by  the  Hj  for  j  <  r,  hence  a  close  to  optimal  choice  of  the  rrij  is 
to  choose  rrij  —  [xj] .  Since  we  have  several  linear  systems  to  solve  using  the 
same  matrix,  it  is  preferable  to  invert  the  matrix  using  Algorithm  2.2.2  and 
this  gives  the  following  algorithm. 

Algorithm  2.7.1  (Kernel  and  Image  of  a  Matrix  Using  LLL).  Given  an  m  x  n 
matrix  A  with  integral  entries,  this  algorithm  computes  an  n  x  n  matrix  H  and 
a  number  p  with  the  following  properties.  The  matrix  H  has  integral  entries  and 
is  of  determinant  equal  to  ±1  (i.e.  H  e  GLn(Z)).  The  first  n  -  p  columns  of 
H  form  an  LLL-reduced  basis  of  the  integer  kernel  of  A.  The  product  of  A  with 
the  last  p  columns  of  H  give  an  LLL-reduced  basis  of  the  image  of  A,  and  the 
coefficients  of  these  last  p  columns  are  small. 

1.  [Apply  MLLL]  Perform  Algorithm  2.6.8  on  the  vectors  bj  equal  to  the  columns 
of  A,  the  Euclidean  scalar  product  being  the  usual  scalar  product  on  vectors. 
We  thus  obtain  p  and  a  matrix  H  €  GLn(Z).  Set  r  <—  n  —  p. 

2.  [LLL-reduce  the  kernel]  Using  the  integral  LLL-Algorithm  2.6.7,  replace  the 
first  r  vectors  of  H  by  an  LLL-reduced  basis  of  the  lattice  that  they  generate. 

3.  [Compute  inverse  of  Gram  matrix]  Let  C  be  the  Gram  matrix  of  the  Hj  for 
j  <  r  (i.e.  Cjtk  =  Hj  ■  Hk  for  1  <  j,  k  <  r),  set  D  <—  C-1  computed  using 
Algorithm  2.2.2,  and  set  i  <—  r. 

4.  [Finished?]  Set  i  <—  i  +  1.  If  i  >  n,  output  the  matrix  H  and  the  number  p 
and  terminate  the  algorithm. 

5.  [Modify  Hi\  Let  V  be  the  r-dimensional  column  vector  whose  j-th  coordinate 
is  Hi  •  Hj.  Set  X  <—  DV,  and  for  j  <  r  set  rrij  *—  [xj],  where  Xj  is  the  j- th 
component  of  X.  Finally,  set  Hi  <—  Hi  —  Y2i<j<rmjHj  and  go  to  step  4. 

A  practical  implementation  of  this  algorithm  should  use  only  an  all-integer 
version  of  Algorithm  2.6.8  (see  Exercise  26),  and  the  other  steps  can  be  simi¬ 
larly  modified  so  that  all  the  computations  are  done  with  integers  only. 

If  only  the  integer  kernel  of  A  is  wanted,  we  may  replace  the  test  Bk  < 
(0.75  —  pi  k_i)Bk~i  by  Bk  =  0,  which  avoids  most  of  the  swaps  and  gives  a 
much  faster  algorithm.  Since  this  algorithm  is  very  useful,  we  give  explicitly 
the  complete  integer  version. 
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Algorithm  2.7.2  (Kernel  over  Z  Using  LLL).  Given  an  mx  n  matrix  A  with 
integral  entries,  this  algorithm  finds  an  LLL-reduced  Z-basis  for  the  kernel  of  A. 
We  use  an  auxiliary  n  x  n  integral  matrix  H.  We  denote  by  Hj  the  j-th  column 
of  H  and  (to  keep  notations  similar  to  the  other  LLL  algorithms)  by  b j  the  j- th 
column  of  A.  All  computations  are  done  using  integers  only.  We  use  an  auxiliary 
set  of  flags  /i,  . . fn  (which  will  be  such  that  /jt  =  0  if  and  only  if  Bk  =  0). 

1.  [Initialize]  Set  k  <—  2,  fcmax  <—  1,  4  <—  1,  t  <—  bi  •  bi  and  H  *—  In.  If  t  ^  0 
set  d\  <—  t  and  /i  1,  otherwise  set  4  <—  1  and  fi  <—  0. 

2.  [Incremental  Gram-Schmidt]  If  k  <  fcmax  go  to  step  3.  Otherwise,  set  fcmax  <—  k 
and  for  j  =  1, . .  .,k  (in  that  order)  do  as  follows.  If  fj  =  0  and  j  <  k,  set 
A k,j  *—  0.  Otherwise,  set  u  <—  bfc  •  b j  and  for  each  i  =  1, . . .,  j  —  1  (in  that 
order)  such  that  fi  ^0  set 

diU  Xk.iXj.i 

U  < - - - : — — 

(Zf— 1 

(the  result  is  in  Z),  then,  if  j  <  k  set  A k,j  <—  u  and  if  j  =  k  set  dk  <—  u  and 
fk  «-  1  if  u  ±  0,  dk  «-  dk- 1  and  fk  «-  0  if  u  =  0. 

3.  [Test  fk  =  0  and  fk- 1  ^  0]  If  fk- i  0,  execute  Sub-algorithm  REDI(fc,  k  —  1) 

above.  If  fk- 1 7^  0  and  fk  =  0,  execute  Sub-algorithm  SWAPK(fc)  below,  set 
k  max(2,  k  —  1)  and  go  to  step  3.  Otherwise,  for  each  /  =  k  —  2,  k  —  3, . . . ,  1 
(in  this  order)  such  that  fi  ^  0,  execute  Sub-algorithm  REDI(fc,Z)  above,  then 
set  k  <—  k  +  1. 

4.  [Finished?]  If  k  <  n  go  to  step  2.  Otherwise,  let  r  +  1  be  the  least  index  such 
that  fi  0  (r  =  n  if  all  fi  are  equal  to  0).  Using  Algorithm  2.6.7,  output  an 
LLL-reduced  basis  of  the  lattice  generated  by  the  linearly  independent  vectors 
Hi,  . . .,  Hr  and  terminate  the  algorithm. 

Sub-algorithm  SWAPK(fc).  Exchange  the  vectors  Hk  and  Hk-i,  and  if  k  > 
2,  for  all  j  such  that  1  <  j  <  k  —  2  exchange  A k,j  with  Set  A  Afc^-i.  If 

A  =  0,  set  4-1  <-  4-2,  exchange  fk-i  and  fk  (i.e.  set  fk- 1  <-  0  and  fk  *-  1), 
set  Xk,k-i  0  and  for  i  =  k  +  1, . . . ,  fcmax  set  Ai>fc  <-  Aijfc_i  and  A*>fc_i  <-  0. 

If  A  7^  0,  for  i  =  k  +  1  ,...,fcmax  set  \i,k-i  «-  AAi,fc_i/4-i.  then  set 
t  *-  dk,  4-i  A2/4-i.  4  <—  4-i  then  for  j  =  k  +  1, . . .,  fcmax  -  1  and  for 

i  =  j  +  1,  •  •  • ,  fcmax  set  A ij  <—  Xijdk-i/t  and  finally  for  j  =  k  +  1, . . .,  fcmax  set 
dj  «—  djdk-i/t.  Terminate  the  sub-algorithm. 

Remarks. 

(1)  Since  fi  =  0  implies  A k,i  =  0,  time  can  be  saved  in  a  few  places  by  first 
testing  whether  fi  vanishes.  The  proof  of  the  validity  of  this  algorithm  is 
left  as  an  exercise  (Exercise  24). 

(2)  It  is  an  easy  exercise  to  show  that  in  this  algorithm 

4  =  det  ((bi  •  bJ)i<i)J<fc)jB.£..^o) 

and  that  djUij  e  Z  (see  Exercise  29). 
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(3)  An  annoying  aspect  of  Algorithm  SWAPK  is  that  when  A  ^  0,  in  addition 
to  the  usual  updating,  we  must  also  update  the  quantities  dj  and  Xiyj  for 
all  i  and  j  such  that  k  +  1 <  j  <  i  <  kmax.  This  comes  from  the  single  fact 
that  the  new  value  of  <4  is  different  from  the  old  one,  and  suggests  that 
a  suitable  modification  of  the  definition  of  <4  can  suppress  this  additional 
updating.  This  is  indeed  the  case  (see  Exercise  30).  Unfortunately,  with 
this  modification,  it  is  the  reduction  algorithm  REDI  which  needs  much 
additional  updating.  I  do  not  see  how  to  suppress  the  extra  updating  in 
SWAPK  and  in  REDI  simultaneously. 


2.7.2  Linear  and  Algebraic  Dependence  Using  LLL 

Now  let  us  see  how  to  apply  the  LLL  algorithm  to  the  problem  of  Z-linear 
independence.  Let  z\,  Z2,  ■  ■  .  ,  zn  be  n  complex  numbers,  and  the  problem  is 
to  find  a  Z-dependence  relation  between  them,  if  one  exists.  Assume  first  that 
the  Zi  are  real.  For  a  large  number  N,  consider  the  positive  definite  quadratic 
form  in  the  af. 

Q{&)  =  0>2  4"  0>2,  4"  ■  •  •  4"  +  N{z\(L\  +  Z2CL2  +  •  •  •  4-  ^nan)^* 


This  form  is  represented  as  a  sum  of  n  squares  of  linearly  independent  linear 
forms  in  the  a* ,  hence  defines  a  Euclidean  scalar  product  on  Rn,  as  long  as 
z\  ^  0,  which  we  can  of  course  assume.  If  N  is  large,  a  “short”  vector  of  Zn 

for  this  form  will  necessarily  be  such  that  \z\CLi  H - h  znan |  is  small,  and  also 

the  a,i  for  i  >  1  not  too  large.  Hence,  if  the  Zi  are  really  Z-linearly  dependent, 
by  choosing  a  suitable  constant  N  the  dependence  relation  (which  will  make 
z\a\  4-  •  ■  •  4-  znan  equal  to  0  up  to  roundoff  errors)  will  be  discovered.  The 
choice  of  the  constant  N  is  subtle,  and  depends  in  part  on  what  one  knows 
about  the  problem.  If  the  \zi\  are  not  too  far  from  1  (meaning  between  10-6 
and  106,  say),  and  are  known  with  an  absolute  (or  relative)  precision  e,  then 
one  should  take  N  between  1/e  and  1/e2,  but  e  should  also  be  taken  quite 
small:  if  one  expects  the  coefficients  a*  to  be  of  the  order  of  a,  then  one  might 
take  e  =  a~15n,  but  in  any  case  e  <  a~n. 

Hence,  we  will  start  with  the  b*  being  the  standard  basis  of  Zn,  and  use 
LLL  with  the  quadratic  form  above.  One  nice  thing  is  that  step  2  of  the  LLL 
algorithm  can  be  avoided  completely.  Indeed,  one  has  the  following  lemma. 

Lemma  2.7.3.  With  the  above  notations ,  if  we  execute  the  complete  Gram- 
Schmidt  orthogonalization  procedure  on  the  standard  basis  of  Zn  and  the 
quadratic  form 


Q(&)  —  4~  03  4~  •  •  •  +  N(ziai  4"  Z2&2  4"  *  •  •  4"  znan )2 

we  have  piti  =  Zijz\  for  2  <  i  <  n,  fiitj  =  0  */  2  <  j  <  i  <  n,  b*  = 
bi  —  ( Zi/zi)\>i ,  Bi  =  Nz%,  and  Bk  =  1  for  2  <  k  <  n. 
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The  proof  is  trivial  by  induction. 

It  is  easy  to  modify  these  ideas  to  obtain  an  algorithm  which  also  works 
for  complex  numbers  2*.  In  this  case,  the  quadratic  form  that  we  can  take  is 

Q(a)  =  <13  +  ■  •  •  +  +  Z2&2  +  ■  •  ■  4-  znan |2 , 

since  the  expression  which  multiplies  N  is  now  a  sum  of  two  squares  of  linear 
forms,  and  these  forms  will  be  independent  if  and  only  if  21/22  is  not  real. 
We  can  however  always  satisfy  this  condition  by  a  suitable  reordering:  if  there 
exists  i  and  j  such  that  2* / Zj  E,  then  by  applying  a  suitable  permutation  of 

the  Zi,  we  may  assume  that  21/22  ^  E.  On  the  other  hand,  if  2; / Zj  e  E  for  all  i 
and  j,  then  we  can  apply  the  algorithm  to  the  real  numbers  1, 22/21, . . . ,  znj z\. 
All  this  leads  to  the  following  algorithm. 

Algorithm  2.7.4  (Linear  Dependence).  Given  n  complex  numbers  21, . . .  ,  zn, 
(as  approximations),  a  large  number  N  chosen  as  explained  above,  this  algorithm 
finds  Z-linear  combinations  of  small  modulus  between  the  Zi.  We  assume  that 
all  the  Zi  are  non-zero,  and  that  if  one  of  the  ratios  Zi/zj  is  not  real,  the  2*  are 
reordered  so  that  the  ratio  22/21  is  not  real. 

1.  [Initialize]  Set  b*  <—  [0, . . . ,  1, . . . ,  0]*,  i.e.  as  a  column  vector  the  ith  element  of 
the  standard  basis  of  Zn.  Then,  set  Hij  <—  0  for  all  i  and  j  with  3  <  j  <  i  <  n, 
B\  ki|2.  B2  <—  Im(2i2~2),  Bk  <—  1  for  3  <  k  <  n,  /ij,i  <—  Re(2i2i)/Bi  for 
2  <  i  <n. 

Now  if  B2  7^  0  (i.e.  if  we  are  in  the  complex  case),  do  the  following:  set 
liit2  *—  Im(2i2i) / B2  for  3  <  i  <  n,  B2  <—  N  ■  B\jB\.  Otherwise  (in  the  real 
case),  set  ^ 2  <—  0  for  3  <  i  <  n,  B2  <—  1. 

2.  [Execute  LLL]  Set  B\  <—  NBi,  k  <—  2,  fcmax  <—  n,  H  In  and  go  to  step  3 
of  the  LLL  Algorithm  2.6.3. 

3.  [Terminate]  Output  the  coefficients  b*  as  coefficients  of  linear  combinations  of 
the  Zi  with  small  modulus,  the  best  one  being  probably  bi. 

Implementation  advice.  Algorithm  2.7.4  performs  slightly  better  if  21  is 
the  number  with  the  largest  modulus.  Hence  one  should  try  to  reorder  the  Zi 
so  that  this  is  the  case.  (Note  that  it  may  not  be  possible  to  do  so,  since  if  the 
Zi  are  not  all  real,  one  must  have  22/21  non-real.) 

Remarks. 

(1)  The  reason  why  the  first  component  plays  a  special  role  comes  from  the 
choice  of  the  quadratic  form.  To  be  more  symmetrical,  one  could  choose 
instead 

Q(a)  =  &i  +  o>2  T  4-  •  •  •  +  <2^  +  TV 1 2i<xi  +  Z2&2  +  •  •  •  4-  znan\2 

both  in  the  real  and  complex  case.  The  result  would  be  more  symmetrical 
in  the  variables  a^,  but  then  we  cannot  avoid  executing  step  2  of  the  LLL 
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algorithm,  i.e.  the  Gram-Schmidt  reduction  procedure,  which  in  practice 
can  take  a  non-negligible  proportion  of  the  running  time.  Hence  the  above 
non-symmetric  version  (due  to  W.  Neumann)  is  probably  better. 

(2)  We  can  express  the  linear  dependence  algorithm  in  terms  of  matrices  in¬ 
stead  of  quadratic  forms  as  follows  (for  simplicity  we  use  the  symmetrical 
version  and  we  assume  the  z*  real) .  Set  5  =  y/N.  We  must  then  find  the 
LLL  reduction  of  the  following  (n  4-  1)  x  n  matrix: 


< :  0  ° ) 


:  ••  0 

0  ...  0  1 

\Szi  Sz2  ...  Szn) 


(3)  We  have  not  used  at  all  the  multiplicative  structure  of  the  field  C.  This 
means  that  essentially  the  same  algorithm  can  be  used  to  find  linear  de¬ 
pendencies  between  elements  of  a  fc-dimensional  vector  space  over  K.  for 
any  k.  This  essentially  reduces  to  the  MLLL  algorithm,  except  that  thanks 
to  the  number  N  we  can  better  handle  imprecise  vectors. 

(4)  A  different  method  for  finding  linear  dependence  relations  based  on  an 
algorithm  which  is  a  little  different  from  the  LLL  algorithm,  is  explained 
and  analyzed  in  detail  in  [H JLS] .  It  is  not  clear  which  should  be  preferred. 

A  special  case  of  Algorithm  2.7.4  is  when  z*  =  at_1,  where  a  is  a  given 
complex  number.  Then  finding  a  Z-linear  relation  between  the  z*  is  equivalent 
to  finding  a  polynomial  A  e  Z[X]  such  that  A(a)  =  0,  i.e.  an  algebraic  relation 
for  a.  This  is  very  useful  in  practice.  (Prom  the  implementation  advice  given 
above  we  should  choose  z*  =  an~l  instead  if  a  >  1.) 

In  this  case  however,  some  modifications  may  be  useful.  First  note  that 
Lemma  2.7.3  stays  essentially  the  same  if  we  replace  the  quadratic  form  Q( a) 
by 


Q{ a)  =  X2al  +  A3CI3  d - 1-  A +  N\zia\  +  z2a2  d - h  znan |2 

where  the  A*  are  arbitrary  positive  real  numbers  (see  Exercise  32).  Now  when 
testing  for  algebraic  relations,  we  may  or  may  not  know  in  advance  the  degree 
of  the  relation.  Assume  that  we  do.  (For  example,  if  a  =  y/2  +  y/3  +  y/b  we 
know  that  the  relation  will  be  of  degree  8.)  Then  (choosing  z*  =  an~t)  we 
would  like  to  have  small  coefficients  for  an~l  with  i  small,  and  allow  larger 
ones  for  i  large.  This  amounts  to  choosing  A i  large  for  small  i,  and  small  for 
large  i.  One  choice  could  be  A;  =  An-i  for  some  reasonable  constant  A  >  1 
(at  least  such  that  An  is  much  smaller  than  N).  In  other  words,  we  look  for 
an  algebraic  relation  for  Zi/A. 

In  other  situations,  we  do  not  know  in  advance  the  degree  of  the  relation, 
or  even  if  the  number  is  algebraic  or  not.  In  this  case,  it  is  probably  not 
necessary  to  modify  Algorithm  2.7.4,  i.e.  we  simply  choose  A*  =  1  for  all  i. 
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2.7.3  Finding  Small  Vectors  in  Lattices 

For  many  applications,  even  though  the  LLL  algorithm  does  not  always  give  us 
the  smallest  vector  in  a  lattice,  the  vectors  which  are  obtained  are  sufficiently 
reasonable  to  give  good  results.  We  have  seen  one  such  example  in  the  preced¬ 
ing  section,  where  LLL  was  used  to  find  linear  dependence  relations  between 
real  or  complex  numbers.  In  some  cases,  however,  it  is  absolutely  necessary 
to  find  one  of  the  smallest  vectors  in  a  lattice,  or  more  generally  all  vectors 
having  norm  less  than  or  equal  to  some  constant.  This  problem  is  hard,  and 
in  a  slightly  modified  form  is  known  to  be  NP-complete,  i.e.  equivalent  to  the 
most  difficult  reasonable  problems  in  computer  science  for  which  no  polyno¬ 
mial  time  algorithm  is  known.  (For  a  thorough  discussion  of  NP-completeness 
and  related  matters,  see  for  example  [AHU].)  Nonetheless,  we  must  give  an 
algorithm  to  solve  it,  keeping  in  mind  that  any  algorithm  will  probably  be 
exponential  time  with  respect  to  the  dimension. 

Using  well  known  linear  algebra  algorithms  (over  R  and  not  over  Z) ,  we  can 
assume  that  the  matrix  defining  the  Euclidean  inner  product  on  Rn  is  diagonal 

with  respect  to  the  canonical  basis,  say  Q(x)  =  q\t\x\  +  92,2^2  H - 1 ~Qn,n^n- 

If  we  want  Q(x)  <  C,  say,  then  we  must  choose  |xi |  <  yjCjq\ ii.  Once  xi 
is  chosen,  we  choose  \x2\  <  y/(C  —  qi,ix\)/q2,2 >  and  so  on.  This  leads  to  n 
nested  loops,  and  in  addition  it  is  desirable  to  have  n  variable  and  not  fixed. 
Hence  it  is  not  as  straightforward  to  implement  as  it  may  seem.  The  idea  is  to 
use  implicitly  a  lexicographic  ordering  of  the  vectors  x.  If  we  generalize  this 
to  non-diagonal  quadratic  forms,  this  leads  to  the  following  algorithm. 

Algorithm  2.7.5  (Short  Vectors).  If  Q  is  a  positive  definite  quadratic  form 
given  by 

/  _n_  Y 

Q(x)  =  ^2  ^  qi’ix3 

i=l  y  J=i+1  J 

and  a  positive  constant  C,  this  algorithm  outputs  all  the  non-zero  vectors  x  €  Zn 
such  that  Q(x)  <  C,  as  well  as  the  value  of  Q(x).  Only  one  of  the  two  vectors 
in  the  pair  (x,— x)  is  actually  given. 

1.  [Initialize]  Set  i  *—  n,  Ti  <—  C,  Ui  *—  0. 

2.  [Compute  bounds]  Set  Z  <—  y/TjJq^i ,  Li  <—  [Z  —  Ui\ ,  Xi  *—  \—Z  —  Ui\  —  1. 

3.  [Main  loop]  Set  Xi  <—  Xi  +  1.  If  Xi  >  Li,  set  i  <—  i  +  1  and  go  to  step 

3.  Otherwise,  if  i  >  1,  set  Ti- 1  <—  Ti  —  qi,i(xi  +  Ui )2,  i  *—  i  —  1,  Ui  <— 
X^i+i  and  go  to  step  2. 

4.  [Solution  found]  If  x  =  0,  terminate  the  algorithm,  otherwise  output  x,  Q(x)  = 
C  —  Ti  +  qi,i(xi  +  Ui)2  and  go  to  step  3. 

Now,  although  this  algorithm  (due  in  this  form  to  Fincke  and  Pohst)  is 
quite  efficient  in  small  dimensions,  it  is  far  from  being  the  whole  story.  Since 
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we  have  at  our  disposal  the  LLL  algorithm  which  is  efficient  for  finding  short 
vectors  in  a  lattice,  we  can  use  it  to  modify  our  quadratic  form  so  as  to  shorten 
the  length  of  the  search.  More  precisely,  let  R  =  (r*  j)  be  the  upper  triangular 
matrix  defined  by  ritj  =  for  1  <  i  <  j  <  n,  ritj  =  0  for 

1  <  j  <  i  <  n.  Then 

Q(x)  =  xtRtRx. 

Now  call  i*i  the  columns  of  R  and  r'  the  rows  of  R'1.  Then  from  the  identity 
R~1Rx  =  x  we  obtain  Xi  =  r'Rx,  hence  by  the  Cauchy-Schwarz  inequality, 

x\  <  ||r'||2(x‘fi‘ac)  <  ||r'||2C. 

This  bound  is  quite  sharp  since  for  example  when  the  quadratic  form  is  di¬ 
agonal,  we  have  ||r-||2  =  1  jq^i  and  the  bound  that  we  obtain  for  x\,  say,  is 
as  usual  y/C/qi^.  Using  the  LLL  algorithm  on  the  rows  of  R~1,  however, 
will  in  general  drastically  reduce  the  norms  of  these  rows,  and  hence  improve 
correspondingly  the  search  for  short  vectors. 

As  a  final  improvement,  we  note  that  the  implicit  lexicographic  ordering 
on  the  vectors  x  used  in  Algorithm  2.7.5  is  not  unique,  and  in  particular  we 
can  permute  the  coordinates  as  we  like.  This  adds  some  more  freedom  on  our 
reduction  of  the  matrix  R.  Before  giving  the  final  algorithm,  due  to  Fincke 
and  Pohst,  we  give  the  standard  method  to  obtain  the  so-called  Cholesky 
decomposition  of  a  positive  definite  quadratic  form,  i.e.  to  obtain  Q  in  the 
form  used  in  Algorithm  2.7.5. 

Algorithm  2.7.6  (Cholesky  Decomposition).  Let  A  be  a  real  symmetric  ma¬ 
trix  of  order  n  defining  a  positive  definite  quadratic  form  Q.  This  algorithm  com¬ 
putes  constants  q^j  and  a  matrix  R  such  that 


n  /  n  \2 

Q(x)  =  'y  ^  Qi,i  I  xi  +  ^  ;  Qi,jxj  I 

i=l  y  j=i+ 1  J 

or  equivalently  in  matrix  form  A  =  RlR. 

1.  [Initialize]  For  all  i  and  j  such  that  1  <  i  <  j  <  n  set  qij  <—  a^j,  then  set 
i  <-  0. 

2.  [Loop  on  i]  Set  i  <—  i  +  1.  If  i  =  n,  go  to  step  4.  Otherwise,  for  j  =  i  +  1, . .  .,n 
set  qjti  < —  ?i,j  and  qij  < —  Qi,j/Qi,i • 

3.  [Main  loop]  For  all  k  and  l  such  that  i  +  l<fc</<nset 

Qk,i  «-  qk,i  ~  qk,iQi,i 


and  go  to  step  2. 

4.  [Find  matrix  R]  For  t  =  1, . . . ,  n  set  r^i  * —  y/q^i,  then  set  r^-  =  0  if  1  <  j  < 
i  <n  and  ritj  =  r^iq^j  if  1  <  i  <  j  <  n  and  terminate  the  algorithm. 
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Note  that  this  algorithm  is  essentially  a  reformulation  of  the  Gram- 
Schmidt  orthogonalization  procedure  in  the  case  where  only  the  Gram  matrix 
is  known.  (See  Proposition  2.5.7  and  Remark  (2)  after  Algorithm  2.6.3.) 

We  can  now  give  the  algorithm  of  Fincke-Pohst  for  finding  vectors  of  small 
norm  ([Fin-Poh]). 


Algorithm  2.7.7  (Fincke-Pohst).  Let  A  be  a  real  symmetric  matrix  of  order 
n  defining  a  positive  definite  quadratic  form  Q,  and  C  be  a  positive  constant. 
This  algorithm  outputs  all  non-zero  vectors  x  €  Zn  such  that  <3(x)  <  C  and  the 
corresponding  values  of  Q(x).  As  in  Algorithm  2.7.5,  only  one  of  the  two  vectors 
(x,  — x)  is  actually  given. 

1.  [Cholesky]  Apply  the  Cholesky  decomposition  Algorithm  2.7.6  to  the  matrix 
A,  thus  obtaining  an  upper  triangular  matrix  R.  Compute  also  R-1  (note  that 
this  is  easy  since  R  is  triangular). 

2.  [LLL  reduction]  Apply  the  LLL  algorithm  to  the  n  vectors  formed  by  the  rows 
of  R_1 ,  thus  obtaining  a  unimodular  matrix  U  and  a  matrix  S~l  such  that 
S~l  =  U~lR~l.  Compute  also  S  =  RU.  (Note  that  U  will  simply  be  the 
inverse  transpose  of  the  matrix  H  obtained  in  Algorithm  2.6.3,  and  this  can 
be  directly  obtained  instead  of  H  in  that  algorithm,  in  other  words  it  is  not 
necessary  to  compute  a  matrix  inverse). 

3.  [Reorder  the  columns  of  5]  Call  s*  the  columns  of  S  and  the  rows  of  S~1. 
Find  a  permutation  a  on  [1, . . .  ,  n]  such  that 

K(l)ll  >  ll®cr(2)  II  >  ■••  >  K(„)ll* 

Then  permute  the  columns  of  S  using  the  same  permutation  <r,  i.e.  replace  S 
by  the  matrix  whose  ith  column  is  s£T(i)  for  1  <  i  <  n. 

4.  Compute  A\  *—  StS,  and  find  the  coefficients  qij  of  the  Cholesky  decompo¬ 
sition  of  A\  using  the  first  three  steps  of  Algorithm  2.7.6  (it  is  not  necessary 
to  compute  the  new  matrix  R). 

5.  Using  Algorithm  2.7.5  on  the  quadratic  form  Q i  defined  by  the  symmetric 
matrix  Ai,  compute  all  the  non-zero  vectors  y  such  that  Qi(y)  <  C,  and  for 
each  such  vector  output  x  =  U(yCT-i^1), . . .  ,y(r-i(n))t  and  Q{x)  =  Q i(y). 

Although  this  algorithm  is  still  exponential  time,  and  is  more  complex 
than  Algorithm  2.7.5,  in  theory  and  in  practice  it  is  much  better  and  should 
be  used  systematically  except  if  n  is  very  small  (less  than  5,  say). 

Remark.  If  we  want  not  only  small  vectors  but  minimal  non-zero  vectors, 
the  Fincke-Pohst  algorithm  should  be  used  as  follows.  First,  use  the  LLL 
algorithm  on  the  lattice  (Zn,<3).  This  will  give  small  vectors  in  this  lattice, 
and  then  choose  as  constant  C  the  smallest  norm  among  the  vectors  found  by 
LLL,  then  apply  Algorithm  2.7.7. 
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2.8  Exercises  for  Chapter  2 


l. 


2. 


3. 


4. 

5. 


6. 

7. 

8. 

9. 

10. 

11. 

12. 

13. 

14. 

15. 

16. 

17. 


Prove  that  if  if  is  a  field,  any  invertible  matrix  over  K  is  equal  to  a  product  of 
matrices  corresponding  to  elementary  column  operations.  Is  this  still  true  if  K 
is  not  a  field,  for  example  for  Z? 

Let  MX  =  B  be  a  square  linear  system  with  coefficients  in  the  ring  Z/prZ  for 
some  prime  number  p  and  some  integer  r  >  1.  Show  how  to  use  Algorithm  2.2.1 
over  the  field  Qp  to  obtain  at  least  one  solution  to  the  system,  if  such  a  solution 
exists.  Compute  in  particular  the  necessary  p-adic  precision. 

Write  an  algorithm  which  decomposes  a  square  matrix  M  in  the  form  M  =  LU P 
as  mentioned  in  the  text,  where  P  is  a  permutation  matrix,  and  L  and  U  are 
lower  and  upper  triangular  matrices  respectively  (see  [AHU]  or  [PFTV]  if  you 
need  help). 

Give  a  detailed  proof  of  Proposition  2.2.5. 

Using  the  notation  of  Proposition  2.2.5,  show  that  for  k  +  1  <  i,  j  <  n,  the 
coefficient  a\ is  equal  to  the  (k  -f  1)  x  (k  4- 1)  minor  of  Mo  obtained  by  taking 
the  first  k  rows  and  the  i-th  row,  and  the  first  k  columns  and  the  j-th  column 
of  Mo. 

Generalize  the  Gauss-Bareiss  method  for  computing  determinants,  to  the  com¬ 
putation  of  the  inverse  of  a  matrix  with  integer  coefficients,  and  more  generally 
to  the  other  algorithms  of  this  chapter  which  use  elimination. 

Is  it  possible  to  modify  the  Hessenberg  Algorithm  2.2.9  so  that  when  the  matrix 
M  has  coefficients  in  Z  all  (or  most)  operations  are  done  on  integers  and  not  on 
rational  numbers?  (I  do  not  know  the  answer  to  this  question.) 

Prove  the  validity  of  Algorithm  2.3.1. 

Prove  the  validity  of  Algorithm  2.3.6. 

Write  an  algorithm  for  computing  one  element  of  the  inverse  image,  analogous 
to  Algorithm  2.3.4  but  using  elimination  directly  instead  of  using  Algorithm 
2.3.1,  and  compare  the  asymptotic  speed  with  that  of  Algorithm  2.3.4. 

Prove  the  validity  of  Algorithm  2.3.11  and  the  uniqueness  statement  of  Propo¬ 
sition  2.3.10. 


In  Algorithm  2.3.9,  show  that  if  the  columns  of  M  and  M'  are  linearly  indepen¬ 
dent  then  so  are  the  columns  of  M2. 


Assuming  Theorem  2.4.1  (1),  prove  parts  (2)  and  (3).  Also,  try  and  prove  (1). 
Prove  the  uniqueness  part  of  Theorem  2.4.3. 


Show  that  among  all  possible  pairs  ( u,v )  such  that  au  +  bv  =  d  =  gcd(a,  6), 
there  exists  exactly  one  such  that  —  |a|/d  <  v  sign(6)  <  0,  and  that  in  addition 
we  will  also  have  1  <  u  sign(a)  <  |6|/of. 


Generalize  Algorithm  2.4.14  to  the  case  where  the  nxn  square  matrix  A  is  not 
assumed  to  be  non-singular. 


Let4=(“  d) 

0.  If  we  set  d.2  = 


be  a  2  x  2  matrix  with  integral  coefficients  such  that  ad  — be 
gcd(a,  6,c,  d)  and  d\  =  (ad  —  bc)/d 2  show  directly  that  there 
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exists  two  matrices  U  and  V  in  GL2(Z)  such  that  A  =  V  ^  j  £/  (this  is 

the  special  case  n  =  2  of  Theorem  2.4.12). 

18.  Let  G  be  a  finite  Z-module,  hence  isomorphic  to  a  quotient  L'/L,  and  let  A  be  a 
matrix  giving  the  coordinates  of  some  Z-basis  of  L  on  some  Z-basis  of  L'.  Show 
that  the  absolute  value  of  det(A)  is  equal  to  the  cardinality  of  G. 

19.  Let  B  be  an  invertible  matrix  with  real  coefficients.  Show  that  there  exist  ma¬ 
trices  K\,  K2  and  A  such  that  B  =  K1AK2,  where  A  is  a  diagonal  matrix  with 
positive  diagonal  coefficients,  and  K 1  and  K2  are  orthogonal  matrices  (this  is 
called  the  Cartan  decomposition  of  B).  What  extra  condition  can  be  added  so 
that  the  decomposition  is  unique? 

20.  Prove  Proposition  2.5.3  using  only  matrix-theoretical  tools  (hint:  the  matrix  Q 
is  diagonalizable  since  it  is  real  symmetric). 

21.  Give  recursive  formulas  for  the  computation  of  the  Gram-Schmidt  coefficients 
Hi,j  and  Bi  when  only  the  Gram  matrix  (bi  •  bj)  is  known. 

22.  Assume  that  the  vector  bi  is  replaced  by  some  other  vector  bfc  in  the  Gram- 
Schmidt  process.  Compute  the  new  value  of  Bi  =  b*  •  b*  in  terms  of  the  pk,j 
and  Bj  for  j<i. 

23.  Prove  Theorem  2.6.2  (5)  and  the  validity  of  the  LLL  Algorithm  2.6.3. 

24.  Prove  that  the  formulas  of  Algorithm  2.6.3  become  those  of  Algorithm  2.6.7 
when  we  set  Xij  <—  djPi,j  and  di  <—  di-iBi. 

25.  Show  that  at  the  end  of  Algorithm  2.6.8  the  first  n  —  p  columns  Hi  of  the  matrix 
H  form  a  basis  of  the  space  of  relation  vectors  for  the  initial  b*. 

26.  Write  an  all  integer  version  of  Algorithm  2.6.8,  generalizing  Algorithm  2.6.7 
to  not  necessarily  independent  vectors.  The  case  corresponding  to  Bk  =  0  but 
/ifc.jt- i  #  0  must  be  treated  with  special  care. 

27.  (This  is  not  really  an  exercise,  just  food  for  thought).  Generalize  to  modules  over 
principal  ideal  domains  R  the  results  and  algorithms  given  about  lattices.  For 
example,  generalize  the  LLL  algorithm  to  the  case  where  R  is  either  the  ring  of 
integers  of  a  number  field  (see  Chapter  4)  assumed  to  be  principal,  or  is  the  ring 
K[X ]  where  K  =  Q,  K  =  R  or  K  =  C.  What  can  be  said  when  K  =  Fp?  Give 
applications  to  the  problem  of  linear  or  algebraic  dependence  of  power  series. 

28.  Compare  the  performance  of  Algorithms  2.7.2  and  2.4.10  (in  the  author’s  im¬ 
plementations,  Algorithm  2.7.2  is  by  far  superior). 

29.  Prove  that  the  quantities  that  occur  in  Algorithm  2.7.2  are  indeed  all  integral. 
In  particular,  show  that  dk  =  det(bi  •  i>j)i<i,j<k,BiBj^o  and  that  djpij  €  Z. 

30.  Set  by  convention  p.k,o  =  1,  Vk,k  =  Bk ,  j(k)  =  ma x{j,  0  <  j  <  k,pk,j  i1  0}, 
dk  rWfcMi.iW  nnd  X k,j  —  djp-k,j  for  k  >  j. 

a)  Modify  Sub-algorithm  SWAPK  so  that  it  uses  this  new  definition  of  dk 
and  X k,j.  In  other  words,  find  the  formulas  giving  the  new  values  of  the  dj,  fj 
and  Xktj  in  terms  of  the  old  ones  after  exchanging  bfc  and  bfc_i.  In  particular 
show  that,  contrary  to  Sub-algorithm  SWAPK,  dk  is  always  unchanged. 

b)  Modify  also  Sub-algorithm  REDI  accordingly.  (Warning:  dk  may  be  mod¬ 
ified,  hence  all  dj  and  Xij  for  i  >  j  >  k.) 

c)  Show  that  we  still  have  dj  €  Z  and  X k,j  €  Z  (this  is  much  more  difficult 
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and  is  analogous  to  the  integrality  property  of  the  Gauss-Bareiss  Algorithm  2.2.6 
and  the  sub-resultant  Algorithm  3.3.1  that  we  will  study  in  Chapter  3). 

31.  It  can  be  proved  that  Sk  =  X^n>i(n(n +1) ' '  ‘  {n+k—l))~3  is  of  the  form  an2  +  b 
where  a  and  b  are  rational  numbers  when  k  is  even,  and  also  when  k  is  odd  if 
the  middle  coefficient  (n  -I-  (fc  —  l)/2)  is  only  raised  to  the  power  —2  instead  of 
—3.  Compute  Sk  for  fc  <  4  using  Algorithm  2.7.4. 

32.  Prove  Lemma  2.7.3  and  its  generalization  mentioned  after  Algorithm  2.7.4.  Write 
the  corresponding  algebraic  dependence  algorithm. 

33.  Let  U  be  a  non-singular  real  square  matrix  of  order  n,  and  let  Q  be  the  positive 
definite  quadratic  form  defined  by  the  real  symmetric  matrix  UlU.  Using  explic¬ 
itly  the  inverse  matrix  V  of  £/,  generalize  Algorithm  2.7.5  to  find  small  values 
of  Q  on  Zn  (Algorithm  2.7.5  corresponds  to  the  case  where  U  is  a  triangular 
matrix).  Hint:  if  you  have  trouble,  see  [Knu2]  Section  3.3.4.C. 


Chapter  3 

Algorithms  on  Polynomials 


Excellent  book  references  on  this  subject  are  [Knu2]  and  [GCL] . 


3.1  Basic  Algorithms 

3.1.1  Representation  of  Polynomials 

Before  studying  algorithms  on  polynomials,  we  need  to  decide  how  they  will 
be  represented  in  an  actual  program.  The  straightforward  way  is  to  represent 
a  polynomial 

Jt*{X)  =  anX '*  +  cin—  \X "  *  +  ■  •  •  -\-a\X  +  o,q 

by  an  array  a[0],  a[l],  . . a[n\.  The  only  difference  between  different  imple¬ 
mentations  is  that  the  array  of  coefficients  can  also  be  written  in  reverse  order, 
with  a[0]  being  the  coefficient  of  Xn.  We  will  always  use  the  first  representa¬ 
tion.  Note  that  the  leading  coefficient  an  may  be  equal  to  0,  although  usually 
this  will  not  be  the  case. 

The  true  degree  of  the  polynomial  P  will  be  denoted  by  deg(P),  and  the 
coefficient  of  Xdeg(p\  called  the  leading  coefficient  of  P,  will  be  denoted  by 
£(P).  In  the  example  above,  if,  as  is  usually  the  case,  an  ^  0,  then  deg(P)  =  n 
and  i{P)  =  an. 

The  coefficients  a*  may  belong  to  any  commutative  ring  with  unit,  but 
for  many  algorithms  it  will  be  necessary  to  specify  the  base  ring.  If  this  base 
ring  is  itself  a  ring  of  polynomials,  we  are  then  dealing  with  polynomials  in 
several  variables,  and  the  representation  given  above  (called  the  dense  repre¬ 
sentation)  is  very  inefficient,  since  multivariate  polynomials  usually  have  very 
few  non-zero  coefficients.  In  this  situation,  it  is  better  to  use  the  so-called 
sparse  representation,  where  only  the  exponents  and  coefficients  of  the  non¬ 
zero  monomials  are  stored.  The  study  of  algorithms  based  on  this  kind  of 
representation  would  however  carry  us  too  far  afield,  and  will  not  be  consid¬ 
ered  here.  In  any  case,  practically  all  the  algorithms  that  we  will  need  use  only 
polynomials  in  one  variable. 

The  operations  of  addition,  subtraction  and  multiplication  by  a  scalar,  i.e. 
the  vector  space  operations,  are  completely  straightforward  and  need  not  be 
discussed.  On  the  other  hand,  it  is  necessary  to  be  more  specific  concerning 
multiplication  and  division. 
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3.1.2  Multiplication  of  Polynomials 


As  far  as  multiplication  is  concerned,  one  can  of  course  use  the  straightforward 
method  based  on  the  formula: 


where 


k 

Ck  =  }  JQ'iOk—ii 
i= 0 


where  it  is  understood  that  a*  =  0  if  i  >  m  and  bj  =  0  if  j  >  n.  This  method 
requires  (m  +  l)(n  +  1)  multiplications  and  mn  additions.  Since  in  general 
multiplications  are  much  slower  than  additions,  especially  if  the  coefficients 
are  multi-precision  numbers,  it  is  reasonable  to  count  only  the  multiplication 
time.  If  T(M)  is  the  time  for  multiplication  of  elements  in  the  base  ring,  the 
running  time  is  thus  0(mnT(M)).  It  is  possible  to  multiply  polynomials  faster 
than  this,  however.  We  will  not  study  this  in  detail,  but  will  give  an  example. 
Assume  we  want  to  multiply  two  polynomials  of  degree  1 .  The  straightforward 
method  above  gives: 


( a\X  +  ao)(biX  +  bo)  —  ciX?  +  c\X  +  cq, 


with 

c0  =  a0b0 ,  Ci  =  ao&i  +  ui&o?  c2  =  o-ibi. 

As  mentioned,  this  requires  4  multiplications  and  1  addition.  Consider  instead 
the  following  alternate  method  for  computing  the  c^: 

co  =  aobo,  C2  =  ai6i, 

d  —  (oi  —  ao)(&i  —  bo),  ci  =  Co  +  (c2  —  d). 

This  requires  only  3  multiplications,  but  4  additions  (subtraction  and  addition 
times  are  considered  identical).  Hence  it  is  faster  if  one  multiplication  in  the 
base  ring  is  slower  than  3  additions.  This  is  almost  always  the  case,  especially 
if  the  base  ring  is  not  too  simple  or  involves  large  integers.  Furthermore,  this 
method  can  be  used  for  any  degree,  by  recursively  splitting  the  polynomials 
in  two  pieces  of  approximately  equal  degrees. 

There  is  a  generalization  of  the  above  method  which  is  based  on  Lagrange’s 
interpolation  formula.  To  compute  A(X)B(X),  which  is  a  polynomial  of  degree 
m+n,  compute  its  value  at  m+n+1  suitably  chosen  points.  This  involves  only 
m  +  n  + 1  multiplications.  One  can  then  recover  the  coefficients  of  A(X)B(X) 
(at  least  if  the  ring  has  characteristic  zero)  by  using  a  suitable  algorithmic 
form  of  Lagrange’s  interpolation  formula.  The  overhead  which  this  implies 
is  unfortunately  quite  large,  and  for  practical  implementations,  the  reader  is 
advised  either  to  stick  to  the  straightforward  method,  or  to  use  the  recursive 
splitting  procedure  mentioned  above. 
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3.1.3  Division  of  Polynomials 

We  assume  here  that  the  polynomials  involved  have  coefficients  in  a  field 
K,  (or  at  least  that  all  the  divisions  which  occur  make  sense.  Note  that  if 
the  coefficients  belong  to  an  integral  domain,  one  can  extend  the  scalars  and 
assume  that  they  in  fact  belong  to  the  quotient  field).  The  ring  K[X)  is  then  a 
Euclidean  domain,  and  this  means  that  given  two  polynomials  A  and  B  with 
B  ^  0,  there  exist  unique  polynomials  Q  and  R  such  that 

A  =  BQ  +  R,  with  deg (R)  <  deg (B) 

(where  as  usual  we  set  deg(0)  =  — oo).  As  we  will  see  in  the  next  section,  this 
means  that  most  of  the  algorithms  described  in  Chapter  1  for  the  Euclidean 
domain  Z  can  be  applied  here  as  well. 

First  however  we  must  describe  algorithms  for  computing  Q  and  R.  The 
straightforward  method  can  easily  be  implemented  as  follows.  For  a  non-zero 
polynomial  Z ,  recall  that  £(Z)  is  the  leading  coefficient  of  Z.  Then: 

Algorithm  3.1.1  (Euclidean  Division).  Given  two  polynomials  A  and  B  in 
K[X]  with  B^O,  this  algorithm  finds  Q  and  R  such  that  A  =  BQ  +  R  and 
deg(.R)  <  deg(B). 

1.  [Initialize]  Set  R  *—  A,  Q  *—  0. 

2.  [Finished?]  If  deg (R)  <  deg(P)  then  terminate  the  algorithm. 

3.  [Find  coefficient]  Set 


S 


Ydeg(«)-deg(S) 

m 


then  Q  <r-  Q  +  S,  R  *—  R  —  S  B  and  go  to  step  2. 


Note  that  the  multiplication  S  B  in  step  3  is  not  really  a  polynomial 
multiplication,  but  simply  a  scalar  multiplication  followed  by  a  shift  of  coeffi¬ 
cients.  Also,  if  division  is  much  slower  than  multiplication,  it  is  worthwhile  to 
compute  only  once  the  inverse  of  £(B),  so  as  to  have  only  multiplications  in 
step  3.  The  running  time  of  this  algorithm  is  hence 

0(deg(P)(deg(Q)  +  l)T(M)), 

(of  course,  deg(Q)  =  deg(A)  —  deg(-B)  if  deg(A)  >  deg(R)). 

Remark.  The  subtraction  R  <—  R  —  S  •  B  in  step  3  of  the  algorithm  must 
be  carefully  written:  by  definition  of  S ,  the  coefficient  of  XdesR  must  become 
exactly  zero,  so  that  the  degree  of  R  decreases.  If  however  the  base  field  is 
for  example  M  or  C,  the  elements  of  K  will  only  be  represented  with  finite 
precision,  and  in  general  the  operation  £(R)  —  £(B)(£(R) /£(B))  will  not  give 
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exactly  zero  but  a  very  small  number.  Hence  it  is  absolutely  necessary  to  set 
it  exactly  equal  to  zero  when  implementing  the  algorithm. 

Note  that  the  assumption  that  K  is  a  field  is  not  strictly  necessary.  Since 
the  only  divisions  which  take  place  in  the  algorithm  are  divisions  by  the  leading 
coefficient  of  B,  it  is  sufficient  to  assume  that  this  coefficient  is  invertible  in 
if,  as  for  example  is  the  case  if  B  is  monic.  We  will  see  an  example  of  this  in 
Algorithm  3.5.5  below  (see  also  Exercise  3). 

The  abstract  value  T(M)  does  not  reflect  correctly  the  computational 
complexity  of  the  situation.  In  the  case  of  multiplication,  the  abstract  T(M) 
used  made  reasonable  sense.  For  example,  if  the  base  ring  K  was  Z,  then  T(M) 
would  be  the  time  needed  to  multiply  two  integers  whose  size  was  bounded 
by  the  coefficients  of  the  polynomials  A  and  B.  On  the  contrary,  in  Algorithm 
3.1.1  the  coefficients  explode,  as  can  easily  be  seen,  hence  this  abstract  measure 
of  complexity  T(M)  does  not  make  sense,  at  least  in  Z  or  Q.  On  the  other 
hand,  in  a  field  like  Fp,  T(M)  does  make  sense. 

Now  these  theoretical  considerations  are  in  fact  very  important  in  prac¬ 
tice:  Among  the  most  used  base  fields  (or  rings),  there  can  be  no  coefficient 
explosion  in  Fp  (or  more  generally  any  finite  field),  or  in  R  or  C  (since  in  that 
case  the  coefficients  are  represented  as  limited  precision  quantities).  On  the 
other  hand,  in  the  most  important  case  of  Q  or  Z,  such  an  explosion  does  take 
place,  and  one  must  be  ready  to  deal  with  it. 

There  is  however  one  other  important  special  case  where  no  explosion 
takes  place,  that  is  when  B  is  a  monic  polynomial  (£{B)  =  1),  and  A  and  B 
are  in  Z[X].  In  this  case,  there  is  no  division  in  step  3  of  the  algorithm. 

In  the  general  case,  one  can  avoid  divisions  by  multiplying  the  polynomial 
A  by  ^(5)deg(j4)_deg(-B)+1.  This  gives  an  algorithm  which  is  not  really  more 
efficient  than  Algorithm  3.1.1,  but  which  is  neater  and  will  be  used  in  the  next 
section.  Knuth  calls  it  “pseudo-division”  of  polynomials.  It  is  as  follows: 

Algorithm  3.1.2  (Pseudo-Division).  Let  K  be  a  ring,  A  and  B  be  two  poly¬ 
nomials  in  K[X]  with  B  ^  0,  and  set  m  <—  deg(A),  n  deg(S),  d  <—  £(B). 
Assume  that  m>n.  This  algorithm  finds  Q  and  R  such  that  dm~n+1A  =  BQ+R 
and  deg(i?)  <  deg(B). 

1.  [Initialize]  Set  R  *—  A,  Q  *—  0,  e  <—  m  —  n  4- 1. 

2.  [Finished?]  If  deg(i?)  <  deg(-B)  then  set  q  <—  de,  Q  <—  qQ,  R  +—  qR  and 
terminate  the  algorithm. 

3.  [Find  coefficient]  Set 


S  *-  e(R)xde&{R)-deg(B\ 


then  Q  <—  d  -  Q  +  S,  R  *—  d  ■  R  —  S  •  B,  e  +—  e  —  1  and  go  to  step  2. 

Since  the  algorithm  does  not  use  any  division,  we  assume  only  that  K  is  a 
ring,  for  example  one  can  have  K  =  Z.  Note  also  that  the  final  multiplication 
by  q  =  de  is  needed  only  to  get  the  exact  power  of  d,  and  this  is  necessary  for 
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some  applications  such  as  the  sub-resultant  algorithm  (see  3.3).  If  it  is  only 
necessary  to  get  some  constant  multiple  of  Q  and  R,  one  can  dispense  with  e 
and  q  entirely. 


3.2  Euclid’s  Algorithms  for  Polynomials 

3.2.1  Polynomials  over  a  Field 

Euclid’s  algorithms  given  in  Section  1.3  can  be  applied  with  essentially  no 
modification  to  polynomials  with  coefficients  in  a  field  K  where  no  coefficient 
explosion  takes  place  (such  as  Fp).  In  fact,  these  algorithms  are  even  simpler, 
since  it  is  not  necessary  to  have  special  versions  a  la  Lehmer  for  multi-precision 
numbers.  They  are  thus  as  follows: 

Algorithm  3.2.1  (Polynomial  GCD).  Given  two  polynomials  A  and  B  over 
a  field  K,  this  algorithm  determines  their  GCD  in  K[X]. 

1.  [Finished?]  If  B  =  0,  then  output  A  as  the  answer  and  terminate  the  algorithm. 

2.  [Euclidean  step]  Let  A  =  B  •  Q  +  R  with  deg(i?)  <  deg(B)  be  the  Euclidean 
division  of  A  by  B.  Set  A  <—  B,  B  <—  R  and  go  to  step  1. 

The  extended  version  is  the  following: 

Algorithm  3.2.2  (Extended  Polynomial  GCD).  Given  two  polynomials  A 
and  B  over  a  field  K,  this  algorithm  determines  (U,V,D)  such  that  AU  +  BV  = 
D  =  (A,B). 

1.  [Initialize]  Set  U  <—  1,  D  <—  A,  Vi  <—  0,  V3  <—  B. 

2.  [Finished?]  If  V3  =  0  then  let  V  <—  (D  —  AU)/B  (the  division  being  exact), 
output  ( U,V,D )  and  terminate  the  algorithm. 

3.  [Euclidean  step]  Let  D  =  QV 3  +  R  be  the  Euclidean  division  of  D  by  V3.  Set 
T  <—  U—  ViQ,  U  *—  Vi,  D  *—  V3,  Vi  <-  T,  P3  <-  R  and  go  to  step  2. 

Note  that  the  polynomials  U  and  V  given  by  this  algorithm  are  polyno¬ 
mials  of  the  smallest  degree,  i.e.  they  satisfy  deg(f7)  <  deg (B/D),  deg(V)  < 
deg  {A/D). 

If  the  base  field  is  R  or  C,  then  the  condition  B  =  0  of  Algorithm  3.2.1 
(or  V3  =  0  in  Algorithm  3.2.2)  becomes  meaningless  since  numbers  are  rep¬ 
resented  only  approximately.  In  fact,  polynomial  GCD’s  over  these  fields,  al¬ 
though  mathematically  well  defined,  cannot  be  used  in  practice  since  the  coef¬ 
ficients  are  only  approximate.  Even  if  we  assume  the  coefficients  to  be  given  by 
some  formula  which  allows  us  to  compute  them  as  precisely  as  we  desire,  the 
computation  cannot  usually  be  done.  Consider  for  example  the  computation 
of 
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gcd(X-7r,X2-6((2)), 

where  £( s )  =  X)n>i  n_s  the  Riemann  zeta  function.  Although  we  can  com¬ 
pute  the  coefficients  to  as  many  decimal  places  as  we  desire,  algebra  alone 
will  not  tell  us  that  this  GCD  is  equal  to  X  —  n  since  £(2)  =  7r2/6.  The  point 
of  this  discussion  is  that  one  should  keep  in  mind  that  it  is  meaningless  in 
practice  to  compute  polynomial  GCD’s  over  M  or  C. 

On  the  other  hand,  if  the  base  field  is  Q,  the  above  algorithms  make 
perfect  sense.  Here,  as  already  mentioned  for  Euclidean  division,  the  practical 
problem  of  the  coefficient  explosion  will  occur,  and  since  several  divisions  are 
performed,  it  will  be  much  worse. 

To  be  specific,  if  p  is  small,  the  GCD  of  two  polynomials  of  FP[X]  of  degree 
1000  can  be  computed  in  a  reasonable  amount  of  time,  say  a  few  seconds,  while 
the  GCD  of  polynomials  in  Q[X]  (even  with  very  small  integer  coefficients) 
could  take  incredibly  long,  years  maybe,  because  of  coefficient  explosion.  Hence 
in  this  case  it  is  absolutely  necessary  to  use  better  algorithms.  We  will  see  this 
in  Sections  3.3  and  3.6.1.  Before  that,  we  need  some  important  results  about 
polynomials  over  a  Unique  Factorization  Domain  (UFD). 


3.2.2  Unique  Factorization  Domains  (UFD’s) 


Definition  3.2.3.  Let  7Z  be  an  integral  domain  (i.e.  a  commutative  ring  with 
unit  1  and  no  zero  divisors ).  We  say  that  u  G  71  is  a  unit  if  u  has  a  multi¬ 
plicative  inverse  inlZ.  If  a  and  b  are  elements  of  71  with  6^0,  we  say  that 
b  divides  a  (and  write  b  \  a)  if  there  exists  q  £  7Z  such  that  a  —  bq.  Since  7Z 
is  an  integral  domain,  such  a  q  is  unique  and  denoted  by  a/b.  Finally  p  £7Z 
is  called  an  irreducible  element  or  a  prime  element  if  q  divides  p  implies  that 
either  q  or  p/q  is  a  unit 


Definition  3.2.4.  A  ring  7Z  is  called  a  unique  factorization  domain  (UFD) 
if  71  is  an  integral  domain,  and  if  every  non-unit  x  €  71  can  be  written  in 
the  form  x  =  Y\pi,  where  the  pi  are  ( not  necessarily  distinct)  prime  elements, 
and  if  this  form  is  unique  up  to  permutation  and  multiplication  of  the  primes 
by  units. 


Important  examples  of  UFD’s  are  given  by  the  following  theorem  (see  [Kap], 
[Sam]): 

Theorem  3.2.5. 

(1)  If  7Z  is  a  principal  ideal  domain  (i.e.  7 Z  is  an  integral  domain  and  every 
ideal  is  principal),  then  7Z  is  a  UFD.  In  particular,  Euclidean  domains 
(i.e.  those  having  a  Euclidean  division)  are  UFD’s. 
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(2)  If  IZ  is  the  ring  of  algebraic  integers  of  a  number  field  ( see  Chapter  4 ), 
then  IZ  is  a  UFD  if  and  only  if  IZ  is  a  principal  ideal  domain. 

(3)  IfIZisa  UFD,  then  the  polynomial  rings  IZ[X i, . . . ,  X„]  are  also  UFD’s. 


Note  that  the  converse  of  (1)  is  not  true  in  general:  for  example  the  ring 
C[AT,  Y]  is  a  UFD  (by  (3)),  but  is  not  a  principal  ideal  domain  (the  ideal 
generated  by  X  and  Y  is  not  principal). 

We  will  not  prove  Theorem  3.2.5  (see  Exercise  6  for  a  proof  of  (3)),  but 
we  will  prove  some  basic  lemmas  on  UFD’s  before  continuing  further. 

Theorem  3.2.6.  Let  1Z  be  a  UFD.  Then 

(1)  If  p  is  prime,  then  for  all  a  and  b  in  IZ,  p  \  ab  if  and  only  if  p  \  a  or  p\b. 

(2)  If  a  |  be  and  a  has  no  common  divisor  with  b  other  than  units,  then  a  \  c. 

(3)  If  a  and  b  have  no  common  divisor  other  than  units,  then  if  a  and  b  divide 
c  €  IZ,  then  ab  \  c. 

(4)  Given  a  set  S  C  1Z  of  elements  of  1Z,  there  exists  d  G  TZ  called  a  greatest 
common  divisor  (GCD)  of  the  elements  of  S,  and  having  the  following 
properties:  d  divides  all  the  elements  of  S,  and  if  e  is  any  element  of  IZ 
dividing  all  the  elements  of  S,  then  e  \  d.  Furthermore,  if  d  and  d!  are  two 
GCD’s  of  S,  then  d/d'  is  a  unit. 


Proof.  (1)  Assume  p  \  ab.  Since  IZ  is  a  UFD,  one  can  write  a  = 
and  b  =  Yim+i<i<m+nPi >  the  pi  being  not  necessarily  distinct  prime  elements 
of  IZ.  On  the  other  hand,  since  ab/p  €  IZ  we  can  also  write  ab  =  pYlj  Qj  with 
prime  elements  qj.  By  the  uniqueness  of  prime  decomposition,  since  ab  = 
IWm+nl*  we  deduce  that  p  is  equal  to  a  unit  times  one  of  the  pi.  Hence, 
if  i  <  m,  then  p  \  a,  while  if  i  >  m,  then  p  \  b ,  proving  (1). 

(2)  We  prove  (2)  by  induction  on  the  number  n  of  prime  factors  of  b, 
counted  with  multiplicity.  If  n  =  0  then  6  is  a  unit  and  a  \  c.  Assume  the 
result  true  for  n  —  1,  and  let  be  =  qa  with  n  >  1.  Let  p  be  a  prime  divisor  of  b. 
p  divides  qa,  and  by  assumption  p  does  not  divide  a.  Hence  by  (1)  p  divides 
q,  and  we  can  write  b'c  =  q'a  with  b'  =  b/p,  q'  =  q/p.  Since  b'  has  only  n  —  1 
prime  divisors,  (2)  follows  by  induction. 

(3)  Write  c  =  qa  with  q  €  IZ.  Since  b  \  c,  by  (2)  we  deduce  that  b\q,  hence 
ab  |  c. 

(4)  For  every  element  s  G  S,  write 

s  =  u 

v 

where  u  is  a  unit,  the  product  is  over  all  distinct  prime  elements  of  IZ  up  to 
units,  and  up(s)  is  the  number  of  times  that  the  prime  p  occurs  in  s,  hence  is 
0  for  all  but  finitely  many  p.  Set 
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d  =  JJ pap ,  where  ap  =  min vp(s) . 

p 

This  min  is  of  course  equal  to  0  for  all  but  a  finite  number  of  p,  and  it  is  clear 
that  d  satisfies  the  conditions  of  the  theorem.  □ 

We  will  say  that  the  elements  of  S  are  coprime  if  their  GCD  is  a  unit. 
By  definition  of  a  UFD,  this  is  equivalent  to  saying  that  no  prime  element 
is  a  common  divisor.  Note  that  if  1 Z  is  not  only  a  UFD  but  also  a  principal 
ideal  domain  (for  example  when  the  UFD  1Z  is  the  ring  of  algebraic  integers 
in  a  number  field) ,  then  the  coprimality  condition  is  equivalent  to  saying  that 
the  ideal  generated  by  the  elements  is  the  whole  ring  1Z.  This  is  however  not 
true  in  general.  For  example,  in  the  UFD  C[X,  Y],  the  elements  X  and  Y  are 
coprime,  but  the  ideal  which  they  generate  is  the  set  of  polynomials  P  such 
that  P(0, 0)  =0,  and  this  is  not  the  whole  ring. 


3.2.3  Polynomials  over  Unique  Factorization  Domains 


Definition  3.2.7.  Let  R  be  a  UFD,  and  A  £  R[X].  We  define  the  content 
of  A  and  write  cont(A)  as  a  GCD  of  the  coefficients  of  A.  We  say  that  A 
is  primitive  if  cont(A)  is  a  unit,  i.e.  if  its  coefficients  are  coprime.  Finally, 
if  A  7^  0  the  polynomial  A/  cont(A)  is  primitive,  and  is  called  the  primitive 
part  of  A,  and  denoted  pp(A)  (in  the  case  A  —  0  we  define  cont(A)  =  0, 

pp(a)  =  o;. 

The  fundamental  result  on  these  notions,  due  to  Gauss,  is  as  follows: 

Theorem  3.2.8.  Let  A  and  B  be  two  polynomials  over  a  UFD  It.  Then  there 
exists  a  unit  u  £  1Z  such  that 

cont(A  •  B)  =  ucont(A)  cont(-B),  pp(A  •  B)  =  u~l  pp(A)  pp(-B). 

In  particular,  the  product  of  two  primitive  polynomials  is  primitive. 

Proof.  Since  A  =  cont(A)  pp(A),  it  is  clear  that  this  theorem  is  equivalent 
to  the  statement  that  the  product  of  two  primitive  polynomials  A  and  B  is 
primitive.  Assume  the  contrary.  Then  there  exists  a  prime  p  €lZ  which  divides 
all  the  coefficients  of  AB.  Write  A(X)  =  YlaiXl  and  B( X)  =  Y^hX1.  By 
assumption  there  exists  a  j  such  that  aj  is  not  divisible  by  p,  and  similarly  a 
k  such  that  bk  is  not  divisible  by  p.  Choose  j  and  k  as  small  as  possible.  The 

coefficient  of  X*+k  in  AB  is  ajbk  +  aj+ ffik-i  H - h  aj+fc&o  +  <U-i  bk+ 1  H - 1- 

aobk+j,  and  all  the  terms  in  this  sum  are  divisible  by  p  except  the  term  ajbk 
(since  j  and  k  have  been  chosen  as  small  as  possible),  and  ajbk  itself  is  not 
divisible  by  p  since  p  is  prime.  Hence  p  does  not  divide  the  coefficient  of 
in  AB,  contrary  to  our  assumption,  and  this  proves  the  theorem.  □ 
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Corollary  3.2.9.  Let  A  and  B  be  two  polynomials  over  a  UFD  7 2.  Then  there 
exists  units  u  and  v  in  V,  such  that 


cont(gcd(A,H))  =  ugcd(cont(A),cont(.B)), 
PP(g°d  (A,B))  =  v  gcd(pp(  A) ,  pp(-B))  • 


3.2.4  Euclid’s  Algorithm  for  Polynomials  over  a  UFD 

We  can  now  give  Euclid’s  algorithm  for  polynomials  defined  over  a  UFD.  The 
important  point  to  notice  is  that  the  sequence  of  operations  will  be  essentially 
identical  to  the  corresponding  algorithm  over  the  quotient  field  of  the  UFD, 
but  the  algorithm  will  run  much  faster.  This  is  because  implementing  arith¬ 
metic  in  the  quotient  field  (say  in  Q  if  R  =  Z)  will  involve  taking  GCD’s  in  the 
UFD  all  the  time,  many  more  than  are  needed  to  execute  Euclid’s  algorithm. 
Hence  the  following  algorithm  is  always  to  be  preferred  to  Algorithm  3.2.1 
when  the  coefficients  of  the  polynomials  are  in  a  UFD.  We  will  however  study 
in  the  next  section  a  more  subtle  and  efficient  method. 

Algorithm  3.2.10  (Primitive  Polynomial  GCD).  Given  two  polynomials  A 
and  B  with  coefficients  in  a  UFD  72.,  this  algorithm  computes  a  GCD  of  A  and 
B,  using  only  operations  in  72..  We  assume  that  we  already  have  at  our  disposal 
algorithms  for  (exact)  division  and  for  GCD  in  72. 

1.  [Reduce  to  primitive]  If  B  —  0,  output  A  and  terminate.  Otherwise,  set  a  <— 
cont(A),  b  <—  cont(B),  d  *—  gcd(a,  b),  A  <—  Af  a,  B  <—  B/b. 

2.  [Pseudo  division]  Compute  R  such  that  ^(P)deg^-deg(-B)+1  A  =  BQ  +  R 
using  Algorithm  3.1.2.  If  R  =  0  go  to  step  4.  If  deg(il)  =  0,  set  B  <—  1  and 
go  to  step  4. 

3.  [Replace]  Set  A  <—  B,  B  <—  pp(-R)  =  R/  cont(i2)  and  go  to  step  2. 

4.  [Terminate]  Output  d  •  B  and  terminate  the  algorithm. 

In  the  next  section,  we  will  see  an  algorithm  which  is  in  general  faster  than 
the  above  algorithm.  There  are  also  other  methods  which  are  often  even  faster, 
but  are  based  on  quite  different  ideas.  Consider  the  case  where  R  =  Z.  Instead 
of  trying  to  control  the  explosion  of  coefficients,  we  simply  put  ourselves  in  a 
field  where  this  does  not  occur,  i.e.  in  the  finite  field  Fp  for  suitable  primes 
p.  If  one  finds  that  the  GCD  modulo  p  has  degree  0  (and  this  will  happen 
often) ,  then  if  p  is  suitably  chosen  it  will  follow  that  the  initial  polynomials 
are  coprime  over  Z.  Even  if  the  GCD  is  not  of  degree  0,  it  is  in  general  quite 
easy  to  deduce  from  it  the  GCD  over  Z.  We  will  come  back  to  this  question 
in  Section  3.6.1. 
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3.3  The  Sub-Resultant  Algorithm 

3.3.1  Description  of  the  Algorithm 

The  main  inconvenience  of  Algorithm  3.2.10  is  that  we  compute  the  content 
of  R  in  step  3  each  time,  and  this  is  a  time  consuming  operation.  If  we  did 
not  reduce  R  at  all,  then  the  coefficient  explosion  would  make  the  algorithm 
much  slower,  and  this  is  also  not  acceptable.  There  is  a  nice  algorithm  due 
to  Collins,  which  is  a  good  compromise  and  which  is  in  general  faster  than 
Algorithm  3.2.10,  although  the  coefficients  are  larger.  The  idea  is  that  one 
can  give  an  a  priori  divisor  of  the  content  of  R,  which  is  sufficiently  large 
to  replace  the  content  itself  in  the  reduction.  This  algorithm  is  derived  from 
the  algorithm  used  to  compute  the  resultant  of  two  polynomials  (see  Section 
3.3.2),  and  is  called  the  sub-resultant  algorithm.  We  could  still  divide  A  and 
B  by  their  content  from  time  to  time  (say  every  10  iterations),  but  this  would 
be  a  very  bad  idea  (see  Exercise  4). 

Algorithm  3.3.1  (Sub-Resultant  GCD).  Given  two  polynomials  A  and  B 
with  coefficients  in  a  UFD  72,  this  algorithm  computes  a  GCD  of  A  and  B,  using 
only  operations  in  72..  We  assume  that  we  already  have  at  our  disposal  algorithms 
for  (exact)  division  and  for  GCD  in  72. 

1.  [Initializations  and  reductions]  If  deg(R)  >  deg(A)  exchange  A  and  B.  Now 
if  B  —  0,  output  A  and  terminate  the  algorithm,  otherwise,  set  a  <—  cont(A), 
b  <—  cont (B),  d  <—  gcd(a,6),  A  *—  A/a,  B  «—  B/b,  g  <—  1  and  h  <—  1. 

2.  [Pseudo  division]  Set  6  <—  deg(A)  —  deg(R).  Using  Algorithm  3.1.2,  compute 
R  such  that  i{B)6+1A  =  BQ  +  R.  If  R  =  0  go  to  step  4.  If  deg(i2)  =  0,  set 
B  <—  1  and  go  to  step  4. 

3.  [Reduce  remainder]  Set  A  <—  B,  B  <—  R/(gh6),  g  <—  £(A),  h  *—  h1~6gs  and 
go  to  step  2.  (Note  that  all  the  divisions  which  may  occur  in  this  step  give  a 
result  in  the  ring  72.) 

4.  [Terminate]  Output  d-  Bj  cont(R)  and  terminate  the  algorithm. 

It  is  not  necessary  for  us  to  give  the  proof  of  the  validity  of  this  algorithm, 
since  it  is  long  and  is  nicely  done  in  [Knu2] .  The  main  points  to  notice  are  as 
follows:  first,  it  is  clear  that  this  algorithm  gives  exactly  the  same  sequence 
of  polynomials  as  the  straightforward  algorithm,  but  multiplied  or  divided  by 
some  constants.  Consequently,  the  only  thing  to  prove  is  that  all  the  quantities 
occurring  in  the  algorithm  stay  in  the  ring  72.  This  is  done  by  showing  that 
all  the  coefficients  of  the  intermediate  polynomials  as  well  as  the  quantities 
h  are  determinants  of  matrices  whose  coefficients  are  coefficients  of  A  and  B, 
hence  are  in  the  ring  72. 

Another  result  which  one  obtains  in  proving  the  validity  of  the  algorithm  is 
that  in  the  case  R  =  Z,  if  m  =  deg(A),  n  =deg(B),  and  N  is  an  upper  bound 
for  the  absolute  value  of  the  coefficients  of  A  and  B,  then  the  coefficients  of 
the  intermediate  polynomials  are  all  bounded  by  the  quantity 
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m  +  1  )n/2(n  +  l)m/2, 

and  this  is  reasonably  small.  One  can  then  show  that  the  execution  time 
for  computing  the  GCD  of  two  polynomials  of  degree  n  over  Z  when  their 
coefficients  are  bounded  by  N  in  absolute  value  is  O (n4 (In Nri)2). 

I  leave  as  an  exercise  to  the  reader  the  task  of  writing  an  extended  version 
of  Algorithm  3.3.1  which  gives  polynomials  U  and  V  such  that  AU  +  BV  = 
r(A,B),  where  r  €  IZ.  All  the  operations  must  of  course  be  done  in  TZ  (see 
Exercise  5).  Note  that  it  is  not  always  possible  to  have  r  =  1.  For  example,  if 
A{X )  =  X  and  B(X)  =  2,  then  (A,  B)  =  1  but  for  any  U  and  V  the  constant 
term  of  AU  +  BV  is  even. 


3.3.2  Resultants  and  Discriminants 

Let  A  and  B  bejwo  polynomials  over  an  integral  domain  IZ  with  quotient 
field  K,  and  let  K  be  an  algebraic  closure  of  K. 

Definition  3.3.2.  Let  A(X)  =  a(X  —  ai)  •  •  •  (X  —  am)  and  B(X)  =  b(X  — 
Pi)  •  ■  •  (X  —  Pn)  be  the  decomposition  of  A  and  B  in  K.  Then  the  resultant 
R(A,  B)  of  A  and  B  is  given  by  one  of  the  equivalent  formulas: 

R(A,  B)  =  anB(ai)  ■  •  •  B(am) 

=  (-l)mnbmA(p1)---A(pn) 

= a"km  n  («*  -  ft)- 

l<i<7Ti,l<  j'<71 


Definition  3.3.3.  If  A  £  TZ[X],  with  m  =  deg(A),  the  discriminant  disc(A) 
of  A  is  equal  to  the  expression: 

(_l)m(m-l)/2  R(A,A')/e(A), 
where  A'  is  the  derivative  of  A. 


The  main  point  about  these  definitions  is  that  resultants  and  discriminants 
have  coefficients  in  7 Z.  Indeed,  by  the  symmetry  in  the  roots  a*,  it  is  clear  that 
the  resultant  is  a  function  of  the  symmetric  functions  of  the  roots,  hence  is  in 
K.  It  is  not  difficult  to  see  that  the  coefficient  an  insures  that  R(A,  B )  G  1Z. 
Another  way  to  see  this  is  to  prove  the  following  lemma. 

Lemma  3.3.4.  If  A{X)  =  ]Co<i<m  a^*  and  B(X)  =  ]^o<i<n  biX1,  then  the 
resultant  R(A ,  B)  is  equal  to  the  determinant  of  the  following  Jn+m)  x  (n+m) 
matrix: 
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/  0>m 
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Om 
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am 
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ao 

bn 
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*  ,  , 

bi 

bo 

0 

0 

*  *  * 

0 

0 

bn 
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.  .  . 

62 

bi 

bo 

0 

. . . 

0 

0 

0 

bn 

bn—  1 

b2 

b  1 

bo 

0 

V  o 

0 

0 

bn 

bn—  1 

b2 

bi 

b0) 

where  the  coefficients  of  A  are  repeated  on  n  =  deg(B)  rows,  and  the  coeffi¬ 
cients  of  B  are  repeated  on  m  =  deg(A)  rows. 


The  above  matrix  is  called  Sylvester’s  matrix.  Since  the  only  non-zero 
coefficients  of  the  first  column  of  this  matrix  are  am  and  6n,  it  is  clear  that 
R{A,B)  is  not  only  in  R  but  in  fact  divisible  (in  R)  by  gcd (£(A),£(B)).  In 
particular,  if  B  =  A',  R(A ,  A')  is  divisible  by  £(A),  hence  disc(A)  is  also  in  R. 

Proof  Call  M  the  above  matrix.  Assume  first  that  the  a*  and  Pj  are  all 
distinct.  Consider  the  (n  +  m)  x  (n  +  m)  Vandermonde  matrix  V  =  (vitj) 
defined  by  viyj  =  P™+n~l  if  j  <  n,  vitj  =  if  n  +  1  <  j  <  n  +  m.  Then 

the  Vandermonde  determinant  det(V)  is  non-zero  since  we  assumed  the  on 
and  (3j  distinct,  and  we  have 

det(V)  =  J \{Pi  -  Pj)  J3(Q!i  -  aej)  Y[(Pi  ~  aj)- 

i<j  i<j  i,j 

r  that 

stmgs n)  o  ...  0  \ 

A(0n)  0  ...  0 

0  af-'Bia)  ...  a™~lB(am)  ’ 

0  B(a  i)  ...  B(am)  J 

hence  det (MV)  is  equal  to  the  product  of  the  two  diagonal  block  determinants, 
which  are  again  Vandermonde  determinants.  Hence  we  obtain: 

det(MV)  =  A(fii)  ■  ■  ■  A(j3n)B(ai)  ■  ■  ■  B(am)  ]}(&  -  ft)  []><  -a,). 

i<j  i<j 


On  the  other  hand,  it  is  clea: 

(p^m)  •••  t 


MV  = 


V 


A(Pi) 

0 


0 


Comparing  with  the  formula  for  det(V)  and  using  det(V)  /  Owe  obtain 
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det(M)  I] (A  -  aj)  =  A(A)  •  •  ■  A(0n)B(ai)  ■  ■  ■  B{am). 

Since  clearly  A{P\ )  •  •  •  A(Pn)  =  an  j(Pi  —  a/),  the  lemma  follows  in  the  case 
where  all  the  aj  and  Pi  are  distinct,  and  it  follows  in  general  by  a  continuity 
argument  or  by  taking  the  roots  as  formal  variables.  □ 

Note  that  by  definition,  the  resultant  of  A  and  B  is  equal  to  0  if  and 
only  if  A  and  B  have  a  common  root,  hence  if  and  only  if  deg(A,  B )  >  0.  In 
particular,  the  discriminant  of  a  polynomial  A  is  zero  if  and  only  if  A  has  a 
non-trivial  square  factor,  hence  if  and  only  if  deg(A,  A')  >  0. 

The  definition  of  the  discriminant  that  we  have  given  may  seem  a  little 
artificial.  It  is  motivated  by  the  following  proposition. 

Proposition  3.3.5.  Let  A  £  R[X ]  with  m  =  deg(A),  and  let  ai  be  the  roots 
of  A  in  K.  Then  we  have 

disc(A)  =  £(A)m-1+de^A">  [J  (an  -  aj)2. 

1  <i<rj<m 


Proof  If  A  has  multiple  roots,  both  sides  are  0.  So  we  assume  that  A  has  only 
simple  roots.  Now  if  a  =  £(A),  we  have 


A'(X)  =  a£H(X-cg 

i  j/i 


hence 

A'{ai)  -aj). 


Thus  we  obtain 

R{A,  A')  =  am+deg(A')(_i)m(m-1)/2  JJ(a.  _  a.f 

i<j 


thus  proving  the  proposition.  Note  that  we  have  deg(A')  =  m— 1,  except  when 
the  characteristic  of  R  is  non-zero  and  divides  m.  □ 


The  following  corollary  follows  immediately  from  the  definitions. 

Corollary  3.3.6.  We  have  R(A^2,  As)  =  R(Ai,  As)R(As,  As)  and 
disc(AiA2)  =  disc(Ai)  disc(A2)(P(Ai,  A2))2. 


Resultants  and  discriminants  will  be  fundamental  in  our  handling  of  alge¬ 
braic  numbers.  Now  the  nice  fact  is  that  we  have  already  done  essentially  all 
the  work  necessary  to  compute  them:  a  slight  modification  of  Algorithm  3.3.1 
will  give  us  the  resultant  of  A  and  B. 
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Algorithm  3.3.7  (Sub-Resultant).  Given  two  polynomials  A  and  B  with  co¬ 
efficients  in  a  UFD  1Z,  this  algorithm  computes  the  resultant  of  A  and  B. 

1.  [Initializations  and  reductions]  If  A  =  0  or  B  =  0,  output  0  and  terminate  the 

algorithm.  Otherwise,  set  a  <—  cont(A),  b  <—  cont(B),  A  <—  A/a,  B  *—  B/b, 
g  *—  1,  h  *—  1,  s  *—  1  and  t  *—  ade&^bdeg^A\  Finally,  if  deg(A)  <  deg(B) 
exchange  A  and  B  and  if  in  addition  deg(A)  and  deg(R)  are  odd  set  s  < - 1. 

2.  [Pseudo  division]  Set  6  <—  deg(A)— deg(JB).  If  deg(A)  and  deg (B)  are  odd,  set 

s  < - s.  Finally,  compute  R  such  that  £(B)6+1A  =  BQ  -I-  R  using  Algorithm 

3.1.2. 

3.  [Reduce  remainder]  Set  A  «—  B  and  B  <—  Rj(gh6). 

4.  [Finished?]  Set  g  <—  £{A),  h  <—  h1~6g6.  If  deg(B)  >  0  go  to  step  2,  otherwise 
set  h  <—  h1_des^^(B)deg^)  output  s  -  t-  h  and  terminate  the  algorithm. 


Proof.  Set  Ao  =  A,  A\  =  B,  let  Ai  be  the  sequence  of  polynomials  generated 
by  this  algorithm,  and  let  Ri  be  the  remainders  obtained  in  step  2.  Let  t  be 
the  index  such  that  deg(Af+i)  =  0.  Set  dk  =  deg(Afc),  Ik  =  £(Ak),  and  let  gk 
and  hk  be  the  quantities  g  and  h  in  stage  k,  so  that  go  =  ho  =  1.  Finally  set 
bk  —  dk  —  dk+i-  Denoting  by  Pi  the  roots  of  Ak,  we  clearly  have  for  k  >  1: 

1  <i<dk 

—  Rk+l{Pi) 

1  <i<dk  V 

1  <i<dk 

Now  using  R(A,cB)  =  cdeg(^)/j(A,  B)  and  the  identities  gk  =  £k  and  hk  = 
\  s  s 

K~-i9kk-'  for  k  >  1 ,  we  see  that  the  expression  simplifies  to 


R(Ak.ltAk)  =  R(Ak,  Ak+1). 


9k+1ht 

Using  dt+i  =  0,  hence  6t  =  dt,  we  finally  obtain 
R{A,B)  =  (-l)£i<fc<*  dk-'dkhl~6> 


R{At,At+ 1) 


=  (-l)Ei<  ’■s>dt-ldkhl-d^,+1 


thus  proving  the  validity  of  the  algorithm. 


□ 
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Note  that  it  is  the  same  kind  of  argument  and  simplifications  which  show 
that  the  A*.  have  coefficients  in  the  same  ring  1Z  as  the  coefficients  of  A  and 
B ,  and  that  the  hk  also  belong  to  71.  In  fact,  we  have  just  proved  for  instance 
that  ht+i  e  1Z. 

Finally,  to  compute  discriminants  of  polynomials,  one  simply  uses  Algo¬ 
rithm  3.3.7  and  the  formula 

disc(.4)  =  (- ), 
where  m  =  deg(A). 


3.3.3  Resultants  over  a  Non-Exact  Domain 

Although  resultants  and  GCD’s  are  similar,  from  the  computational  point 
of  view,  there  is  one  respect  in  which  they  completely  differ.  It  does  make 
practical  sense  to  compute  (approximate)  resultants  over  R,  C  or  Qp,  while 
it  does  not  make  sense  for  GCD’s  as  we  have  already  explained.  When  deal¬ 
ing  with  resultants  of  polynomials  with  such  non-exact  coefficients  we  must 
however  be  careful  not  to  use  the  sub-resultant  algorithm.  For  one  thing,  it 
is  tailored  to  avoid  denominator  explosion  when  the  coefficients  are,  for  ex¬ 
ample,  rational  numbers  or  rational  functions  in  other  variables.  But  most 
importantly,  it  would  simply  give  wrong  results,  since  the  remainders  R  ob¬ 
tained  in  the  algorithm  are  only  approximate;  hence  a  zero  leading  coefficient 
could  appear  as  a  very  small  non-zero  number,  leading  to  havoc  in  the  next 
iteration. 

Hence,  in  this  case,  the  natural  solution  is  to  evaluate  directly  Sylvester’s 
determinant.  Now  the  usual  Gaussian  elimination  method  for  computing  de¬ 
terminants  also  involves  dividing  by  elements  of  the  ring  to  which  the  co¬ 
efficients  belong.  In  the  case  of  the  ring  Z,  say,  this  is  not  a  problem  since 
the  quotient  of  two  integers  will  be  represented  exactly  as  a  rational  number. 
Even  for  non-exact  rings  like  R,  the  quotient  is  another  real  number  given 
to  a  slightly  worse  and  computable  approximation.  On  the  other  hand,  in  the 
case  where  the  coefficients  are  themselves  polynomials  in  another  variable  over 
some  non-exact  ring  like  R,  although  one  could  argue  in  the  same  way  using 
rational  functions,  the  final  result  will  not  in  general  simplify  to  a  polynomial 
as  it  should,  for  the  same  reason  as  before. 

To  work  around  this  problem,  we  must  use  the  Gauss-Bareiss  Algorithm 
2.2.6  which  has  exactly  the  property  of  keeping  all  the  computations  in  the 
initial  base  ring.  Keep  in  mind,  as  already  mentioned  after  Algorithm  2.2.6, 
that  if  some  division  of  elements  of  R[X]  (say)  is  required,  then  Euclidean 
division  must  be  used,  i.e.  we  must  get  a  polynomial  as  a  result. 

Hence  to  compute  resultants  we  can  apply  this  algorithm  to  Sylvester’s 
matrix,  even  when  the  coefficients  are  not  exact.  (In  the  case  of  exact  coef¬ 
ficients,  this  algorithm  will  evidently  also  work,  but  will  be  slower  than  the 
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sub-resultant  algorithm.)  Since  Sylvester’s  matrix  is  an  (n  4-  m)  x  (n  4-  m) 
matrix,  it  is  important  to  note  that  simple  row  operations  can  reduce  it  to  an 
n  x  n  matrix  to  which  we  can  then  apply  the  Gauss-Bareiss  algorithm  (see 
Exercise  8). 

Remark.  The  Gauss-Bareiss  method  and  the  sub-resultant  algorithm  are  in 
fact  closely  linked.  It  is  possible  to  adapt  the  sub-resultant  algorithm  so  as 
to  give  correct  answers  in  the  non-exact  cases  that  we  have  mentioned  (see 
Exercise  10),  but  the  approach  using  determinants  is  probably  safer. 


3.4  Factorization  of  Polynomials  Modulo  p 

3.4.1  General  Strategy 

We  now  consider  the  problem  of  factoring  polynomials.  In  practice,  for  poly¬ 
nomials  in  one  variable  the  most  important  base  rings  are  Z  (or  <Q>),  Fp  or 
Qp.  Factoring  over  E  or  C  is  equivalent  to  root  finding,  hence  belongs  to  the 
domain  of  numerical  analysis.  We  will  give  a  simple  but  efficient  method  for 
this  in  Section  3.6.3. 

Most  factorization  methods  rely  on  factorization  methods  over  Fp,  hence 
we  will  consider  this  first.  In  Section  1.6,  we  have  given  algorithms  for  finding 
roots  of  polynomials  modulo  p ,  and  explained  that  no  polynomial-time  deter¬ 
ministic  algorithm  is  known  to  do  this  (if  one  does  not  assume  the  GRH).  The 
more  general  case  of  factoring  is  similar.  The  algorithms  that  we  will  describe 
are  probabilistic,  but  are  quite  efficient. 

Contrary  to  the  case  of  polynomials  over  Z,  polynomials  over  Fp  have  a 
tendency  to  have  several  factors.  Hence  the  problem  is  not  only  to  break  up  the 
polynomial  into  two  pieces  (at  least),  but  to  factor  completely  the  polynomial 
as  a  product  of  powers  of  irreducible  (i.e.  prime  in  1Z[X])  polynomials.  This 
is  done  in  four  steps,  in  the  following  way. 

Algorithm  3.4.1  (Factor  in  FP[X]).  Let  A  G  FP[A]  be  monic  (since  we  are 
over  a  field,  this  does  not  restrict  the  generality).  This  algorithm  factors  A  as  a 
product  of  powers  of  irreducible  polynomials  in  FP[A]. 

1.  [Squarefree  factorization]  Find  polynomials  A\,  A2,  ....  Ak  in  FP[X]  such 
that 

(1)  A  =  A\Al--Al 

(2)  The  Ai  are  squarefree  and  coprime. 

(This  decomposition  of  A  will  be  called  the  squarefree  factorization  of  A). 

2.  [Distinct  degree  factorization]  For  *  =  1, . . . ,  k  find  polynomials  Aitd  G  FP[X] 
such  that  Ai,d  is  the  product  of  all  irreducible  factors  of  Ai  of  degree  d  (hence 

-4*  =  Ud  Ai,d)- 
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3.  [Final  splittings]  For  each  i  and  d,  factor  Aitd  into  deg (Aitd)/d  irreducible 
factors  of  degree  d. 

4.  [Cleanup]  Group  together  all  the  identical  factors  found,  order  them  by  degree, 
output  the  complete  factorization  and  terminate  the  algorithm. 

Of  course,  this  is  only  the  skeleton  of  an  algorithm  since  steps  1,  2  and  3 
are  algorithms  by  themselves.  We  will  consider  them  in  turn. 


3.4.2  Squarefree  Factorization 

Let  F p  be  an  algebraic  closure  of  Fp.  If  A  e  Fp[X]  is  monic,  define  Ai(X)  = 
n,(*  —  otj)  where  the  aj  are  the  roots  of  A  in  Fp  of  multiplicity  exactly  equal 
to  i.  Since  the  Galois  group  of  Fp/Fp  preserves  the  multiplicity  of  the  roots  of 
A,  it  permutes  the  aj,  so  all  the  Ai  have  in  fact  coefficients  in  Fp  (this  will  also 
follow  from  the  next  algorithm).  It  is  clear  that  they  satisfy  the  conditions  of 
step  1.  It  remains  to  give  an  algorithm  to  compute  them. 

If  A  =  Hi  with  Ai  squarefree  and  coprime,  then  A'  =  Tl^yi  ' 
iA'iAl~l.  Hence,  if  T  =  gcd(^4,  A'),  then  for  all  irreducible  P  dividing  T,  the 
exponent  vp(T )  of  P  in  the  prime  decomposition  of  T  can  be  obtained  as 
follows:  P  dividing  A  must  divide  an  Am  for  some  m.  Hence,  for  all  i  ^  m  in 
the  sum  for  A ',  the  up  of  the  ith  summand  is  greater  than  or  equal  to  m  and 
for  i  =  m  is  equal  to  m  —  1  if  p  \  ra,  and  otherwise  the  summand  is  0  (note 
that  since  Am  is  squarefree,  A'm  cannot  be  divisible  by  P ).  Hence,  we  obtain 
that  vp(T )  =  m  —  1  if  p  \  m,  and  vp(T )  >  m,  so  vp(T )  =  m  (since  T  divides 
A)  if  p  |  m.  Finally,  we  obtain  the  formula 

T  =  (A,A')  =  Y[A^U^ 

p\i  p\i 

Note  that  we  could  have  given  a  much  simpler  proof  over  Z,  and  in  that  case 
the  exponent  of  Ai  would  be  equal  to  i  —  1  for  all  i. 

Now  we  define  two  sequences  of  polynomials  by  induction  as  follows.  Set 
Ti  =  T  and  V,  =  A/T  =  rirfi  Ai.  For  A;  >  1,  set  Vk+1  =  ( Tk ,  Vk)  if  p  \  k, 
Vk+ 1  =  Vk  if  p  |  fc,  and  Tk+i  =  Tk/Vk+ It  is  easy  to  check  by  induction  that 

v*=  n  “d  r‘=  n 

pfi  i>k ,  pfz  p\i 

From  this  it  follows  that  A^  =  Vk/Vk+i  for  p\k.  We  thus  obtain  all  the  Ak  for 
p\ k,  and  we  continue  as  long  as  Vk  is  a  non-constant  polynomial.  When  14  is 
constant,  we  have  Tk- 1  =  flp|i  -A-l  hence  there  exists  a  polynomial  U  such  that 
Tk-i{X)  =  UP(X)  =  U(XP),  and  this  polynomial  can  be  trivially  obtained 
from  Tk- 1-  We  then  start  again  recursively  the  whole  algorithm  of  squarefree 
decomposition  on  the  polynomial  U.  Transforming  the  recursive  step  into  a 
loop  we  obtain  the  following  algorithm. 
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Algorithm  3.4.2  (Squarefree  Factorization).  Let  A  G  FP[X]  be  a  monic 
polynomial  and  let  A  =  Hi>i  A\  be  its  squarefree  factorization,  where  the  A*  are 
squarefree  and  pairwise  coprime.  This  algorithm  computes  the  polynomials  Ai, 
and  outputs  the  pairs  (i,  A*)  for  the  values  of  i  for  which  Ai  is  not  constant. 

1.  [Initialize]  Set  e  +—  1  and  To  <—  A. 

2.  [Initialize  e-loop]  If  To  is  constant,  terminate  the  algorithm.  Otherwise,  set 
T  (To,  Tq)(  V  <-  T0/T  and  k  4-  0. 

3.  [Finished  e-loop?]  If  V  is  constant,  T  must  be  of  the  form  T(X )  = 
so  set  T0  <—  J2p\j  tjX3/p,  e  <r-pe  and  go  to  step  2. 

4.  [Special  case]  Set  k  <—  k  -I- 1.  If  p  \  k  set  T  <—  T/V  and  k  <—  k  +  1. 

5.  [Compute  Aek ]  Set  W  4-  (T,  V),  Aek  4-  V/W,  V  <—  W  and  T  <—  T/V'.  If 
Aefc  is  not  constant  output  (ek,Aek).  Go  to  step  3. 


3.4.3  Distinct  Degree  Factorization 

We  can  now  assume  that  we  have  a  squarefree  polynomial  A  and  we  want  to 
group  factors  of  A  of  the  same  degree  d.  This  procedure  is  known  as  distinct 
degree  factorization  and  is  quite  simple.  We  first  need  to  recall  some  results 
about  finite  fields.  Let  P  €  FP[X]  be  an  irreducible  polynomial  of  degree 
d.  Then  the  field  K  =  Fp [X]/P(X)¥p[X]  is  a  finite  field  with  pd  elements. 
Hence,  every  element  x  of  the  multiplicative  group  K*  satisfies  the  equation 
xp  -1  =  1,  therefore  every  element  of  K  satisfies  xpd  =  x.  This  shows  that  P 
is  a  divisor  of  the  polynomial  Xp  —  X  in  Fp [X].  Conversely,  every  irreducible 

factor  of  Xp  —X  which  is  not  a  factor  of  Xp‘  —  X  for  e  <  d  has  degree  exactly 
d.  This  leads  to  the  following  algorithm. 

Algorithm  3.4.3  (Distinct  Degree  Factorization).  Given  a  squarefree  poly¬ 
nomial  A  €  Fp[A”],  this  algorithm  finds  for  each  d  the  polynomial  Ad  which  is  the 
product  of  the  irreducible  factors  of  A  of  degree  d. 

1.  [Initialize]  Set  V  <—  A,  W  <—  X,  d  <—  0. 

2.  [Finished?]  Set  e  <-  deg(F).  If  d  +  1  >  \e,  then  if  e  >  0  set  Ae  =  V,  A*  =  1 
for  all  other  i  >  d,  and  terminate  the  algorithm.  If  d  -f  1  <  |e,  set  d  <—  d  +  1, 
W  4—  Wp  mod  V. 

3.  [Output  Ad]  Output  Ad  =  (W  -  X,V).  If  Ad  ^  1,  set  V  4-  V/Ad,  W  <- 
W  mod  V.  Go  to  step  2. 

Once  the  Ad  have  been  found,  it  remains  to  factor  them.  We  already 
know  the  number  of  irreducible  factors  of  Ad,  which  is  equal  to  deg {Ad)/d.  In 
particular,  if  deg(A^)  =  d,  then  Ad  is  irreducible. 

Note  that  the  distinct  degree  factorization  algorithm  above  succeeds  in 
factoring  A  completely  quite  frequently.  With  reasonable  assumptions,  it  can 
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be  shown  that  the  irreducible  factors  of  A  modulo  p  will  have  distinct  degrees 
with  probability  close  to  e-7  «  0.56146,  where  7  is  Euler’s  constant,  where 
we  assume  the  degree  of  A  to  be  large  (see  [Knu2]). 

As  a  corollary  to  the  above  discussion  and  algorithm,  we  see  that  it  is  easy 
to  determine  whether  a  polynomial  is  irreducible  in  FP[X].  More  precisely,  we 
have: 

Proposition  3.4.4.  A  polynomial  A  G  Fp[X]  of  degree  n  is  irreducible  if  and 
only  if  the  following  two  conditions  are  satisfied: 

Xpn  =X  (modA(X)), 
and  for  each  prime  q  dividing  n 

(X<^/q-X,A(  X))  =  l. 


Note  that  to  test  in  practice  the  second  condition  of  the  proposition,  one 
must  first  compute  B{X)  =  Xpn/q  mod  A(X)  using  the  powering  algorithm, 
and  then  compute  gcd(£(X)  —  X,A(X)).  Hence,  the  time  necessary  for  this 
irreducibility  test,  assuming  one  uses  the  0(n2)  algorithms  for  multiplication 
and  division  of  polynomials  of  degree  n,  is  essentially  0(n3  lnp),  if  the  factor¬ 
ization  of  n  is  known  (since  nobody  considers  polynomials  of  degree  larger, 
say  than  109,  this  is  a  reasonable  assumption). 

It  is  interesting  to  compare  this  with  the  analogous  primality  test  for 
integers.  By  Proposition  8.3.1,  n  is  prime  if  and  only  if  for  each  prime  q  dividing 
n  —  1  one  can  find  an  aq  G  Z  such  that  a£-1  =  1  (mod  n)  and  agn_1^9  ^  1 
(mod  n).  This  takes  time  0(ln3n),  assuming  the  factorization  of  n  —  1  to  be 
known.  But  this  is  an  unreasonable  assumption,  since  one  commonly  wants 
to  prove  the  primality  of  numbers  of  100  decimal  digits,  and  at  present  it  is 
quite  unreasonable  to  factor  a  100  digit  number.  Hence  the  above  criterion  is 
not  useful  as  a  general  purpose  primality  test  over  the  integers. 


3.4.4  Final  Splitting 

Finally  we  must  consider  the  most  important  and  central  part  of  Algorithm 
3.4.1,  its  step  3,  which  in  fact  does  most  of  the  work.  After  the  preceding  steps 
we  are  left  with  the  following  problem.  Given  a  polynomial  A  which  is  known 
to  be  squarefree  and  equal  to  a  product  of  irreducible  polynomials  of  degree 
exactly  equal  to  d,  find  these  factors.  Of  course,  deg(A)  is  a  multiple  of  d,  and 
if  deg  (A)  =  d  we  know  that  A  is  itself  irreducible  and  there  is  nothing  to  do. 
A  simple  and  efficient  way  to  do  this  was  found  by  Cantor  and  Zassenhaus. 
Assume  first  that  p  >  2.  Then  we  have  the  following  lemma: 

Proposition  3.4.5.  If  A  is  as  above,  then  for  any  polynomial  T  G  FP[A]  we 
have  the  identity: 
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A  =  (A,T)  •  (A,T(pd-1)/2  + 1)  •  (A,T(pd~1)/2  -  1). 


Proof.  The  roots  of  the  polynomial  Xpd  —  X,  being  the  elements  of  Fpd ,  are 
all  distinct.  It  follows  that  for  any  T  £  Fp[X],  the  polynomial  T(X)P  —  T(X) 
also  has  all  the  elements  of  Fpd  as  roots,  hence  is  divisible  by  Xp  —X.  In 
particular,  as  we  have  seen  in  the  preceding  section,  it  is  a  multiple  of  every 
irreducible  polynomial  of  degree  d,  hence  of  A ,  since  A  is  squarefree.  The 
claimed  identity  follows  immediately  by  noting  that 

—  x  =  T-  (jV-1)/2  +  1)  •  (jHp'*-1)/2  —  l) 

with  the  three  factors  pairwise  coprime.  □ 

Now  it  is  not  difficult  to  show  that  if  one  takes  for  T  a  random  monic 
polynomial  of  degree  less  than  or  equal  to  2d  —  1,  then  (A,  —  1)  will 

be  a  non-trivial  factor  of  A  with  probability  close  to  1/2.  Hence,  we  can  use 
the  following  algorithm  to  factor  A: 

Algorithm  3.4.6  (Cantor-Zassenhaus  Split).  Given  A  as  above,  this  algo¬ 
rithm  outputs  its  irreducible  factors  (which  are  all  of  degree  d).  This  algorithm 
will  be  called  recursively. 

1.  [Initialize]  Set  k  <—  deg (A)jd.  If  k  =  1,  output  A  and  terminate  the  algorithm. 

2.  [Try  a  T]  Choose  T  £  Fp[X]  randomly  such  that  T  is  monic  of  degree  less 
than  or  equal  to  2d  —  1.  Set  B  <—  (A,T(p<i_1)/2  —  1).  If  deg(-B)  =  0  or 
deg(-B)  =  deg(A)  go  to  step  2. 

3.  [Recurse]  Factor  B  and  A/B  using  the  present  algorithm  recursively,  and  ter¬ 
minate  the  algorithm. 

Note  that,  as  has  already  been  mentioned  after  Proposition  3.4.4,  to  com¬ 
pute  B  in  step  2  one  first  computes  C  <—  T^-1)/2  mod  A  using  the  powering 
algorithm,  and  then  B  <—  (A,  C  —  1). 

Finally,  we  must  consider  the  case  where  p  =  2.  In  that  case,  the  following 
result  is  the  analog  of  Proposition  3.4.5: 

Proposition  3.4.7.  Set 

U(X)  =  X  +  X2  +  X4  +  •  •  •  +  x2dl . 

If  p  =2  and  A  is  as  above,  then  for  any  polynomial  T  €  F2[A]  we  have  the 
identity 


A  =  (A,  U  o  T)  •  (A,  U  o  T  + 1). 
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Proof.  Note  that  (U  o  T)2  =  T2  +  T4  +  •  •  •  +  T2* ,  hence  {U  o  T)  -  {U  o  T  + 1)  = 
T2  —  T  (remember  that  we  are  in  characteristic  2).  By  the  proof  of  Proposition 
3.4.5  we  know  that  this  is  a  multiple  of  A,  and  the  identity  follows.  □ 

Exactly  as  in  the  case  of  p  >  2,  one  can  show  that  the  probability  that 
(A,U  o  T)  is  a  non-trivial  factor  of  A  is  close  to  1/2,  hence  essentially  the 
same  algorithm  as  Algorithm  3.4.6  can  be  used.  Simply  replace  in  step  2 
B  <—  (A,  T&  -1)/2  —  1)  by  B  <—  (A,  U  oT).  Here,  however,  we  can  do  better 
than  choosing  random  polynomials  T  in  step  2  as  follows. 

Algorithm  3.4.8  (Split  for  p  =  2).  Given  A  £  F2[X]  as  above,  this  algorithm 
outputs  its  irreducible  factors  (which  are  all  of  degree  d).  This  algorithm  will  be 
called  recursively. 

1.  [Initialize]  Set  k  <—  deg(A)/d.  If  k  =  1,  output  A  and  terminate  the  algorithm, 
otherwise  set  T  <—  X. 

2.  [Test  T]  Set  C  <—  T  and  then  repeat  d  —  1  times  C  *—T  +  C2  mod  A.  Then 
set  B  <—  (A,C).  If  deg(B)  =  0  or  deg(B)  =  deg(A)  then  set  T  <—  T  •  X2 
and  go  to  step  2. 

3.  [Recurse]  Factor  B  and  A/B  using  the  present  algorithm  recursively,  and  ter¬ 
minate  the  algorithm. 

Proof.  If  this  algorithm  terminates,  it  is  clear  that  the  output  is  a  factorization 
of  A,  hence  the  algorithm  is  correct.  We  must  show  that  it  terminates.  Notice 
first  that  the  computation  of  C  done  in  step  2  is  nothing  but  the  computation 
of  U  o  T  mod  A  (note  that  on  page  630  of  [Knu2] ,  Knuth  gives  C  «—  (C 
+  C2  mod  A),  but  this  should  be  instead,  as  above,  C  *—  T  +  C2  mod  A). 

Now,  since  for  any  T  £  F2  [A] ,  we  have  by  Proposition  3.4.7  U ( T )  •  ( U ( T )  + 
1)  =  0  (mod  A),  it  is  clear  that  ( U(T),A )  =  1  is  equivalent  to  U(T)  =  1 
(mod  A).  Furthermore,  one  immediately  checks  that  U(T2)  =  U(T )  (mod  A), 
and  that  U{T i  +  T2)  =  U{T i)  +  U(T2). 

Now  I  claim  that  the  algorithm  terminates  when  T  =  Xe  in  step  2  for 
some  odd  value  of  e  such  that  e  <  2d  — 1.  Indeed,  assume  the  contrary.  Then 
we  have  for  every  odd  e  <  2d  —  1,  ( U (Xe),  A)  =  1  or  A,  hence  U ( Xe )  =  0  or 

1  modulo  A.  Since  U(T2)  =  U{T)  (mod  A),  this  is  true  also  for  even  values 
of  e  <  2d ,  and  the  linearity  of  U  implies  that  this  is  true  for  every  polynomial 
of  degree  less  than  or  equal  to  2d.  Now  U  is  a  polynomial  of  degree  2d_1,  and 
has  at  most  (in  fact  exactly,  see  Exercise  15)  2d~ 1  roots  in  F2<i.  Let  f3  £  F2<* 
not  a  root  of  U.  The  number  of  irreducible  factors  of  A  is  at  least  equal  to 

2  (otherwise  we  would  have  stopped  at  step  1),  and  let  A\  and  A2  be  two 
such  factors,  both  of  degree  d.  Let  a  be  a  root  of  A2  in  F2<*  (notice  that  all 
the  roots  of  A2  are  in  F2d).  Since  A2  is  irreducible,  a  generates  F 2<i  over  F2. 
Hence,  there  exists  a  polynomial  P  £  F2[X]  such  that  (3  =  P(a). 

By  the  Chinese  remainder  theorem,  since  A\  and  A2  are  coprime  we  can 
choose  a  polynomial  T  such  that  T  =  0  (mod  Ai)  and  T  =  P  (mod  A2),  and 
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T  is  defined  modulo  the  product  A1A2.  Hence,  we  can  choose  T  of  degree  less 
than  2d.  But 

U(T)  =  U{ 0)  =  0  (mod  Ai) 

and 

U(T)  =  U(P)  jk  0  (mod  Aq) 

since 

U{P(a))  =  U(P)^  0. 

This  contradicts  U(T )  =  0  or  1  modulo  A,  thus  proving  the  validity  of  the 
algorithm.  The  same  proof  applied  to  Tpd—  T  instead  of  U (T)  explains  why 
one  can  limit  ourselves  to  deg(T)  <  2d  —  1  in  Algorithm  3.4.6.  □ 

Proposition  3.4.7  and  Algorithm  3.4.8  can  be  extended  to  general  primes 
p,  but  are  useful  in  practice  only  if  p  is  small  (see  Exercise  14). 

There  is  another  method  for  doing  the  final  splitting  due  to  Berlekamp 
which  predates  that  of  Cantor-Zassenhaus,  and  which  is  better  in  many  cases. 
This  method  could  be  used  as  soon  as  the  polynomial  is  squarefree.  (In  other 
words,  if  desirable,  we  can  skip  the  distinct  degree  factorization.)  It  is  based 
on  the  following  proposition. 

Proposition  3.4.9.  Let  A  £  FP[X]  be  a  squarefree  polynomial ,  and  let 

a(x)=  n  mx) 

l<i<r 

be  its  decomposition  into  irreducible  factors.  The  polynomials  T  £  Fp  [X]  with 
deg (T)  <  deg(A)  for  which  for  each  i  with  1  <  i  <  r  there  exist  Si  €  IFP 
such  that  T(X)  =  Si  (mod  Ai(X)),  are  exactly  the  pr  polynomials  T  such 
that  deg (T)  <  deg(A)  and  T(X)P  =  T{X)  (mod  A(X)). 

Proof.  By  the  Chinese  remainder  Theorem  1.3.9  generalized  to  the  Euclidean 
ring  1FP[X],  for  each  of  the  pr  possible  choices  of  s*  G  Fp  (1  <i<  r),  there 
exists  a  unique  polynomial  T  £  1FP[X]  such  that  deg(T)  <  deg  (A)  and  for 
each  i 

T(X)  =  Si  (mod  Ai(X)). 

Now  if  T  is  a  solution  of  such  a  system,  we  have 

T(X)P  =  s?  =  Si  =  T(X)  (mod  A*(X)) 

for  each  i,  hence 

T{X)P  =  T(X)  (mod  A(X)). 

Conversely,  note  that  we  have  in  FP[X]  the  polynomial  identity  Xp  —  X  = 

Uo<s<P-i(X~s),  hence 
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T(X)P-T(X)=  n  (T(X)-s). 

0<s<p— 1 

Hence,  if  T(X)P  =  T(X )  (mod  A(X)),  we  have  for  all  i 

mx)\  n  pw-*). 

0<s<p— 1 

and  since  the  Ai  are  irreducible  this  means  that  Ai(X)  \  T(X)  —  s*  for  some 
Si  £  Fp  thus  proving  the  proposition.  □ 

The  relevance  of  this  proposition  to  our  splitting  problem  is  the  following. 
If  T  is  a  solution  of  such  a  system  of  congruences  with,  say,  si  ^  52»  then 
gcd (A(X),T(X)  -  si)  will  be  divisible  by  Ai  and  not  by  A2,  hence  it  will  be 
a  non-trivial  divisor  of  A.  The  above  proposition  tells  us  that  to  look  for  such 
nice  polynomials  T  it  is  not  necessary  to  know  the  Ai,  but  simply  to  solve  the 
congruence  T(X)P  =  T(X)  (mod  A(X)). 

To  solve  this,  write  T(X)  =  X)o <icn^jX^,  where  n  =  deg(A),  with  tj  € 
Fp.  Then  T(X)P  —  Y2j  tjXpi ,  hence  if  we  set 

X?k=  Y  H'kXi  (mod,4(X)) 

0<i<n 

we  have 

nxy  =  Y f j  E  >xi  (mod 

j  i 

so  the  congruence  T(X)P  =  T(X)  (mod  A(X))  is  equivalent  to 

T:  tjq^j  =  ti  for  1  <  *  <  n . 

3 

If,  in  matrix  terms,  we  set  Q  =  {qij),  V  —  (tj)  (column  vector),  and  I  the 
identity  matrix,  this  means  that  QV  =  V.  In  other  words  (Q—I)V  =  0,  so  V 
belongs  to  the  kernel  of  the  matrix  Q  —  I. 

Algorithm  2.3.1  will  allow  us  to  compute  this  kernel,  and  it  is  especially 
efficient  since  we  work  in  a  finite  field  where  no  coefficient  explosion  or  insta¬ 
bility  occurs. 

Thus  we  will  obtain  a  basis  of  the  kernel  of  Q— I,  which  will  be  of  dimension 
r  by  Proposition  3.4.9.  Note  that  trivially  q^ 0  =  0  if  i  >  0  and  go,o  =  1, 
hence  the  column  vector  (1,0,...,  0)*  will  always  be  an  element  of  the  kernel, 
corresponding  to  the  trivial  choice  T(X)  =  1.  Any  other  basis  element  of  the 
kernel  will  be  useful.  If  T(X)  is  the  polynomial  corresponding  to  a  V  in  the 
kernel  of  Q  —  I,  we  compute  ( A(X),T(X )  —  s)  for  0  <  s  <  p  —  1.  Since  by 
Proposition  3.4.9  there  exists  an  s  such  that  T(X)  =  s  (mod  Ai(X)),  there 
will  exist  an  s  which  will  give  a  non-trivial  GCD,  hence  a  splitting  of  A.  We 
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apply  this  to  all  values  of  s  and  all  basis  vectors  of  the  kernel  until  the  r 
irreducible  factors  of  A  have  been  isolated  (note  that  it  is  better  to  proceed 
in  this  way  than  to  use  the  algorithm  recursively  once  a  split  is  found  as  in 
Algorithm  3.4.6  since  it  avoids  the  recomputation  of  Q  and  of  the  kernel  of 

Q-i)- 

This  leads  to  the  following  algorithm. 

Algorithm  3.4.10  (Berlekamp  for  Small  p ).  Given  a  squarefree  polynomial 
A  e  Fp[Xj  of  degree  n,  this  algorithm  computes  the  factorization  of  A  into 
irreducible  factors. 

1.  [Compute  Q\  Compute  inductively  for  0  <  k  <  n  the  elements  qitk  €  Fp  such 
that 

xpk=  J2  (mod^x)). 

0  <i<n 

2.  [Compute  kernel]  Using  Algorithm  2.3.1,  find  a  basis  V\,  . . .  ,  Vr  of  the  kernel 
of  Q  —  I.  Then  r  will  be  the  number  of  irreducible  factors  of  A,  and  V\  = 
(1,0, . . .  ,  0)4.  Set  E  <—  {A},  k  *—  1,  j  <—  1  (E  will  be  a  set  of  polynomials 
whose  product  is  equal  to  A,  k  its  cardinality  and  j  is  the  index  of  the  vector 
of  the  kernel  which  we  will  use). 

3.  [Finished?]  If  k  =  r,  output  E  as  the  set  of  irreducible  factors  of  A  and 
terminate  the  algorithm.  Otherwise,  set  j  j  -f  1,  and  let  T(X)  be  the 
polynomial  corresponding  to  the  vector  Vj  (i.e.  T(X )  ^  Eo<i<n (YihX*). 

4.  [Split]  For  each  element  B  E  E  such  that  deg(B)  >  1  do  the  following.  For 
each  s  €  Fp  compute  ( B(X ),  T(X)—s).  Let  F  be  the  set  of  such  GCD's  whose 
degree  is  greater  or  equal  to  1.  Set  E  <—  (E  \  {£})  U  F  and  k  <—  k  —  1  +  \F\. 
If  in  the  course  of  this  computation  we  reach  k  =  r,  output  E  and  terminate 
the  algorithm.  Otherwise,  go  to  step  3. 

The  main  drawback  of  this  algorithm  is  that  the  running  time  of  step  4 
is  proportional  to  p,  and  this  is  slower  than  Algorithm  3.4.6  as  soon  as  p  gets 
above  100  say.  On  the  other  hand,  if  p  is  small,  a  careful  implementation  of 
this  algorithm  will  be  faster  than  Algorithm  3.4.6.  This  is  important,  since  in 
many  applications  such  as  factoring  polynomials  over  Z,  we  will  first  factor 
the  polynomial  over  a  few  fields  Fp  for  small  primes  p  where  Berlekamp’s 
algorithm  is  superior. 

If  we  use  the  idea  of  the  Cantor-Zassenhaus  split,  we  can  however  improve 
considerably  Berlekamp’s  algorithm  when  p  is  large.  In  steps  3  and  4,  instead  of 
considering  the  polynomials  corresponding  to  the  vectors  Vj—sV\  for  2  <  j  <  r 
and  s  €  Fp,  we  instead  choose  a  random  linear  combination  V  =  X)i=i 
with  a,i  €  Fp  and  compute  (B(X),  T{X)^P~1^2  —  1),  where  T  is  the  polynomial 
corresponding  to  V.  It  is  easy  to  show  that  this  GCD  will  give  a  non-trivial 
factor  of  B(X)  with  probability  greater  than  or  equal  to  4/9  when  p  >  3  and 
B  is  reducible  (see  Exercise  17  and  [Knu2]  p.  429).  This  gives  the  following 
algorithm. 
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Algorithm  3.4.11  (Berlekamp).  Given  a  squarefree  polynomial  A  £  FP[X] 
of  degree  n  (with  p  >  3),  this  algorithm  computes  the  factorization  of  A  into 
irreducible  factors. 

1.  [Compute  Q]  Compute  inductively  for  0  <  k  <  n  the  elements  £  F p  such 
that 

xpk=  Y,  <k*xi- 

0  <i<n 

2.  [Compute  kernel]  Using  Algorithm  2.3.1,  find  a  basis  V\,  . ..  ,Vr  of  the  kernel 
of  Q  —  I,  and  let  T\,  . . .  ,  Tr  be  the  corresponding  polynomials.  Then  r  will  be 
the  number  of  irreducible  factors  of  A,  and  V\  =  (1,0, . . .  ,  0)4  hence  T\  =  1. 
Set  E  <—  {A},  k  «—  1,  (E  will  be  a  set  of  polynomials  whose  product  is  equal 
to  A  and  k  its  cardinality). 

3.  [Finished?]  If  k  =  r,  output  E  as  the  set  of  irreducible  factors  of  A  and 
terminate  the  algorithm.  Otherwise,  choose  r  random  elements  a*  £  Fp,  and 
setTW-EiSiSrOiliW. 

4.  [Split]  For  each  element  B  £  E  such  that  deg (B)  >  1  do  the  following.  Let 
D{X)  <-  (jB(X),T(X)(p-1)/2  —  1).  If  deg(D)  >  Oand  deg(£>)  <  deg(H),  set 
E  <—  (E\{B})U{D,  B/D}  and  k  *—  &  +  1.  If  in  the  course  of  this  computation 
we  reach  k  =  r,  output  E  and  terminate  the  algorithm.  Otherwise,  go  to  step  3. 

Note  that  if  we  precede  any  of  these  two  Berlekamp  algorithms  by  the 
distinct  degree  factorization  procedure  (Algorithm  3.4.3),  we  should  replace 
the  condition  deg(5)  >  1  of  step  4  by  deg(B)  >  d,  since  we  know  that  all  the 
irreducible  factors  of  A  have  degree  d. 

Using  the  algorithms  of  this  section,  we  now  have  at  our  disposal  several 
efficient  methods  for  completely  factoring  polynomials  modulo  a  prime  p.  We 
will  now  consider  the  more  difficult  problem  of  factoring  over  Z. 


3.5  Factorization  of  Polynomials  over  Z  or  Q 

The  first  thing  to  note  is  that  factoring  over  Q  is  essentially  equivalent  to 
factoring  over  Z.  Indeed  if  A  =  Ai  where  the  Ai  are  irreducible  over  Q, 
then  by  multiplying  by  suitable  rational  numbers,  we  have  dA  =  Yli(diAi) 
where  the  di  can  be  chosen  so  that  the  diAi  have  integer  coefficients  and 
are  primitive.  Hence  it  follows  from  Gauss’s  lemma  (Theorem  3.2.8)  that  if 
A  £  Z[X],  then  d  =  ±1.  Conversely,  if  A  =  Ai  with  A  and  the  Ai  in  Z[X] 
and  the  Ai  are  irreducible  over  Z,  then  the  Ai  are  also  irreducible  over  Q,  by 
a  similar  use  of  Gauss’s  lemma. 

Therefore  in  this  section,  we  will  consider  only  the  problem  of  factoring  a 
polynomial  A  over  Z.  If  A  —  BC  is  a  splitting  of  A  in  Z[X\,  then  A  —  BC  in 
FP[X],  where  ~  denotes  reduction  mod  p.  Hence  we  can  start  by  reducing  mod 
p  for  some  p,  factor  mod  p,  and  then  see  if  the  factorization  over  Fp  lifts  to 
one  over  Z.  For  this,  it  is  essential  to  know  an  upper  bound  on  the  absolute 
value  of  the  coefficients  which  can  occur  as  a  factor  of  A. 
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3.5.1  Bounds  on  Polynomial  Factors 

The  results  presented  here  are  mostly  due  to  Mignotte  [Mig].  The  aim  of  this 
section  is  to  prove  the  following  theorem: 

Theorem  3.5.1.  For  any  polynomial  P  =  Y^o<i<nP^1  e  C[X]  set  |P|  = 

(£i  W2)1/2-  Let  A  =  £o <i<maixi  and  B  =  £o<i<n6i^  be  polynomials 
with  integer  coefficients,  and  assume  that  B  divides  A.  Then  we  have  for  all  j 

N-(nj1)|Ai+C-i)|“mi- 


Proof.  Let  a  be  any  complex  number,  and  let  A  =  £o <i<ma^1  be  any 
polynomial.  Set  G(X)  =  {X  -  a)A{X)  and  H(X)  =  (aX  -  T)A(X).  Then 

\G\2  =  la*-i  “  aa*\ 2  =  53(|a*-1l2  +  Mil2  -  2  Re(aaialZI)) 

=  ^(|o:ai_i|2  +  |aj|2  -  2R e(aaiaj~[)) 

=  -  ail2  =  \H\2. 

Let  now  A{X)  —  am  flj  —  aj)  be  the  decomposition  of  A  over  C.  If  we  set 
C{X)  =  a™  n  (X  -  a ,)  n  (5J*  -  1). 

|aj|>l  |aj|<l 


it  follows  that  |G'|  =  \A\.  Hence,  taking  into  account  only  the  coefficient  of 
Xm  and  the  constant  term,  it  follows  that 

\A\2  =  \C\2  >  \am\2(M(A)2  +m(A)2), 


where 

M(A)=  fj  \aj\,  m(A)=  M|. 

I a  j  I  >  1  l«3l<l 

In  particular,  M(A)  <  |A|/|am|.  Now 

\aj\  —  \am\  |  y  ^  ^ii  •  •  •  aim-j  —  lam|  ^  ^  Ai  •  •  •  Pim-j  > 

where  fa  =  max(l,  |oi|).  Assume  for  the  moment  the  following  lemma: 


Lemma  3.5.2.  If  x i  >  1,  . . .  ,  xm  >  1  ore  real  numbers  constrained  by 
the  further  condition  that  their  product  is  equal  to  M,  then  the  elementary 
symmetric  function  o'mk  —  ^  ^  ...  x^  satisfies 


O'mk 


/m  —  1\  fm  —  1\ 
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Since  the  product  of  the  /%  is  by  definition  M(A),  it  follows  from  the 
lemma  that  for  all  j, 


|aj|  5:  |am| 

—  \^m  | 


Km 

'm 


771  —  1 

™-j, 


|M(A)  + 


Coming  back  to  our  notations  and  applying  the  preceding  result  to  the  poly¬ 
nomial  B,  we  see  that  \bj\  <  |&n|((nJ1)Af(B)  +  (”“J)).  It  follows  that  \bj\  < 

\am\({n^1)M(A)  +  (”“*))  since  if  B  divides  A,  we  must  have  M(B)  <  M(A) 
(since  the  roots  of  B  are  roots  of  A ),  and  |6n|  <  |am|  (since  in  fact  bn  divides 
Q>rn)‘  The  theorem  follows  from  this  and  the  inequality  Af  (A)  <  \A\/\am\ 
proved  above. 

It  remains  to  prove  the  lemma.  Assume  without  loss  of  generality  that  x\  < 
X2  •  •  •  <  xm.  If  one  changes  the  pair  (xm_i,  xm)  into  the  pair  (1,  xm_ixm),  all 
the  constraints  are  still  satisfied  and  it  is  easy  to  check  that  the  value  of  amk 
is  increased  by 

^(m— 2)(fc  — 1)  l)(^m  1)  • 

It  follows  that  if  xm_i  >  1,  the  point  (xi,...,xm)  cannot  be  a  maximum. 
Hence  a  necessary  condition  for  a  maximum  is  that  xm_i  =  1.  But  this  imme¬ 
diately  implies  that  Xi  =  1  for  all  i  <  m,  and  hence  that  xm  =  M.  It  is  now 
a  simple  matter  to  check  the  inequality  of  the  lemma,  the  term  (^i)  Af  cor¬ 
responding  to  fc-tuples  containing  xm,  and  the  term  to  the  ones  which 

do  not  contain  xm.  This  finishes  the  proof  of  Theorem  3.5.1.  □ 


A  number  of  improvements  can  be  made  in  the  estimates  given  by  this 
theorem.  They  do  not  seriously  influence  the  running  time  of  the  algorithms 
using  them  however,  hence  we  will  be  content  with  this. 


3.5.2  A  First  Approach  to  Factoring  over  Z 

First  note  that  for  polynomials  A  of  degree  2  or  3  with  coefficients  which  are 
not  too  large,  the  factoring  problem  is  easy:  if  A  is  not  irreducible,  it  must 
have  a  linear  factor  qX  —  p,  and  q  must  divide  the  leading  term  of  A,  and  p 
must  divide  the  constant  term.  Hence,  if  the  leading  term  and  the  constant 
term  can  be  easily  factored,  one  can  check  each  possible  divisor  of  A.  An  ad 
hoc  method  of  this  sort  could  be  worked  out  also  in  higher  degrees,  but  soon 
becomes  impractical. 

A  second  way  of  factoring  over  Z  is  to  combine  information  obtained 
by  the  mod  p  factorization  methods.  For  example,  if  modulo  some  prime  p, 
A(X)  mod  p  is  irreducible,  then  A(X)  itself  is  of  course  irreducible.  A  less 
trivial  example  is  the  following:  if  for  some  p  a  polynomial  A(X)  of  degree  4 
breaks  modulo  p  into  a  product  of  two  irreducible  polynomials  of  degree  2, 
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and  for  another  p  into  a  product  of  a  polynomial  of  degree  1  and  an  irreducible 
polynomial  of  degree  3,  then  A(X)  must  be  irreducible  since  these  splittings 
are  incompatible.  Unfortunately,  although  this  method  is  useful  when  com¬ 
bined  with  other  methods,  except  for  polynomials  of  small  degree,  when  used 
alone  it  rarely  works.  For  example,  using  the  quadratic  reciprocity  law  and 
the  identities 


X4  +  1  =  (X2  +  yTi){X2  -  >/=I) 

=  ( X 2  -  Xy/2  +  1)(X2  +  X\/2  +  1) 

=  (X2  +  Xy^2  -  1)(X2  -  X\/-2  -  1) 

it  is  easy  to  check  that  the  polynomial  X4  +  1  splits  into  4  linear  factors  if 
p  =  2  or  p  =  1  (mod  8),  and  into  two  irreducible  quadratic  factors  otherwise. 
This  is  compatible  with  the  possibility  that  X4  + 1  could  split  into  2  quadratic 
factors  in  Z[X] ,  and  this  is  clearly  not  the  case. 

A  third  way  to  derive  a  factorization  algorithm  over  Z  is  to  use  the  bounds 
given  by  Theorem  3.5.1  and  the  mod  p  factorization  methods.  Consider  for 
example  the  polynomial 

A(X)  =  X6  -  6X4  -  2X3  -  7X2  +  6X  +  1. 

If  it  is  not  irreducible,  it  must  have  a  factor  of  degree  at  most  3.  The  bound  of 
Theorem  3.5.1  shows  that  for  any  factor  of  degree  less  or  equal  to  3  and  any 
j,  one  must  have  |6j|  <  23.  Take  now  a  prime  p  greater  than  twice  that  bound 
and  for  which  the  polynomial  A  mod  p  is  squarefree,  for  example  p  —  47.  The 
mod  p  factoring  algorithms  of  the  preceding  section  show  that  modulo  47  we 
have 


A{X)  =  (X  -  22) (X  -  13)(X  -  12)(X  4-  12)(X2  -  12X  -  4), 

taking  as  representatives  of  Z/47Z  the  numbers  from  —23  to  23.  Now  the 
constant  term  of  A  being  equal  to  1,  up  to  sign  any  factor  of  A  must  have 
that  property.  This  immediately  shows  that  A  has  no  factor  of  degree  1  over 
Z  (this  could  of  course  have  been  checked  more  easily  simply  by  noticing  that 
A(  1)  and  A{— 1)  are  both  non-zero),  but  it  also  shows  that  A  has  no  factor  of 
degree  2  since  modulo  47  we  have  12  •  22  =  —18,  12  •  13  =  15,  12  •  12  =  3  and 
13  •  22  =  4.  Hence,  if  A  is  reducible,  the  only  possibility  is  that  A  is  a  product 
of  two  factors  of  degree  3.  One  of  them  must  be  divisible  by  X2  —  12X  —  4, 
and  hence  can  be  (modulo  47)  equal  to  either  (X2  —  12X  —  4)(X  —  12)  (whose 
constant  term  is  1),  or  to  (X2  —  12X  —  4)(X  +  12)  (whose  constant  term  is 
— 1).  Now  modulo  47,  we  have  (X2  —  12X  —  4)(X  — 12)  =  X3  4-  23X2  —  X  4- 1 
and  (X2  -  12X  -  4)(X  +  12)  =  X3  -  7X  -  1. 

The  first  case  can  be  excluded  a  priori  because  the  bound  of  Theorem  3.5.1 
gives  &2  <  12,  hence  23  is  too  large.  In  the  other  case,  by  the  choice  made  for 
p ,  this  is  the  only  polynomial  in  its  congruence  class  modulo  47  satisfying  the 
bounds  of  Theorem  3.5.1.  Hence,  if  it  divides  A  in  Z[X],  we  have  found  the 
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factorization  of  A,  otherwise  we  can  conclude  that  A  is  irreducible.  Since  one 
checks  that  A(X )  —  ( X 3  —  7X  —  1)(X3  +  X  —  1),  we  have  thus  obtained  the 
complete  factorization  of  A  over  Z.  Note  that  the  irreducibility  of  the  factors 
of  degree  3  has  been  proved  along  the  way. 

When  the  degree  or  the  coefficients  of  A  are  large  however,  the  bounds  of 
Theorem  3.5.1  imply  that  we  must  use  a  p  which  is  really  large,  and  hence  for 
which  the  factorization  modulo  p  is  too  slow.  We  can  overcome  this  problem 
by  keeping  a  small  p,  but  factoring  modulo  pe  for  sufficiently  large  e. 


3.5.3  Factorization  Modulo  pe :  Hensel’s  Lemma 

The  trick  is  that  if  certain  conditions  are  satisfied,  we  can  “lift”  a  factorization 
modulo  p  to  a  factorization  mod  pe  for  any  desired  e,  without  too  much  effort. 
This  is  based  on  the  following  theorem,  due  to  Hensel,  and  which  was  one  of 
his  motivations  for  introducing  p-adic  numbers. 

Theorem  3.5.3.  Let  p  be  a  prime,  and  let  C,  Ae,  Be,  U ,  V  be  polynomials 
with  integer  coefficients  and  satisfying 

C(X)  =  Ae(X)Be(X)  (mod  pe),  U(X)Ae(X)+V(X)Be(X)  =  1  (mod  p). 

Assume  thate  >  1,  Ae  is  monic,  deg (U)  <  deg (Be),  deg(F)  <  deg(Ae).  Then 
there  exist  polynomials  Ae+ 1  and  Be+\  satisfying  the  same  conditions  with  e 
replaced  by  e  4-1,  and  such  that 

Ae+1(X)  =  Ae(X)  (mod  p‘),  Be+1(X)  ee  Be(X)  (mod  pe). 

Furthermore,  these  polynomials  are  unique  modulo  pe+1. 

Proof.  Set  D  =  (C  —  AeBe)/pe  which  has  integral  coefficients  by  assumption. 
We  must  have  Ae+i  =  Ae  +  peS ,  Be+i  =  Be  +  peT  with  S  and  T  in  Z[X]. 
The  main  condition  needed  is  C(X )  =  A+i(X)Be+1(X)  (mod  pc+1).  Since 
2e  >  e  +  1,  this  is  equivalent  to  Ael  +  &eS  =  (c  —  Aetfe)/pe  =  JJ  (mod  p). 
Since  U Ae  +  V Be  =  1  in  Fp  [X]  and  Fp  is  a  field,  the  general  solution  is 
S  =  VD  +  WAe  (mod  p)  and  T  =  UD  —  WBe)  (mod  p)  for  some  polynomial 
W.  The  conditions  on  the  degrees  imply  that  S  and  T  are  unique  modulo 
p,  hence  Ae+ 1  and  Be+ 1  are  unique  modulo  pe+1.  Note  that  this  proof  is 
constructive,  and  gives  a  simple  algorithm  to  obtain  Ae+i  and  Be+ 1.  □ 

For  reasons  of  efficiency,  it  will  be  useful  to  have  a  more  general  version 
of  Theorem  3.5.3.  The  proof  is  essentially  identical  to  the  proof  of  Theorem 
3.5.3,  and  will  follow  from  the  corresponding  algorithm. 

Theorem  3.5.4.  Let  p,  q  be  ( not  necessarily  prime)  integers,  and  let  r  — 
(p,  q).  Let  C ,  A,  B,  U  and  V  be  polynomials  with  integer  coefficients  satisfying 
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C  =  AB  (mod  q) ,  UA  +  VB  =  1  (mod  p), 

and  assume  that  (£(A),r)  =  1,  deg(U)  <  deg(jB),  deg(V)  <  deg(A)  and 
deg(C)  =  deg(A)  +  deg(i?) .  (Note  that  this  last  condition  is  not  automatically 
satisfied  since  ZfqL  may  have  zero  divisors.)  Then  there  exist  polynomials 
A\  and  B\  such  that  A\  =  A  (mod  q ),  Bi  =  B  (mod  q),  £(A\)  =  £(A), 
deg(Ai)  =  deg(A),  deg  (Bi)  =  deg  (B)  and 

C  =  A\B\  (modgr). 

In  addition,  A\  and  B\  are  unique  modulo  qr  if  r  is  prime. 

We  give  the  proof  as  an  algorithm. 

Algorithm  3.5.5  (Hensel  Lift).  Given  the  assumptions  and  notations  of  The¬ 
orem  3.5.4,  this  algorithm  outputs  the  polynomials  A\  and  B\.  As  a  matter  of 
notation,  we  denote  by  K  the  ring  Z/rZ. 

1.  [Euclidean  division]  Set  f  <—  (C  —  AB)/q  (mod  r)  e  K[X].  Using  Algorithm 
3.1.1  over  the  ring  K,  find  t  €  K[X ]  such  that  deg(V/  —  At)  <  deg(A)  (this 
is  possible  even  when  K  is  not  a  field,  since  £(A)  is  invertible  in  K ). 

2.  [Terminate]  Let  Aq  be  a  lift  of  V f  -  At  to  Z[X]  having  the  same  degree, 
and  let  Bo  be  a  lift  of  Uf  +  Bt  to  Z[X\  having  the  same  degree.  Output 
A\  A  +  qAo,  Bi  <—  B  +  qBo  and  terminate  the  algorithm. 

Proof.  It  is  clear  that  BAq  +  ABq  =  f  (mod  r).  From  this,  it  follows  immedi¬ 
ately  that  C  =  A\B\  (mod  qr)  and  that  deg  (So)  <  deg(S),  thus  proving  the 
validity  of  the  algorithm  and  of  Theorem  3.5.4.  □ 

If  p  |  q,  we  can  also  if  desired  replace  p  by  pr  =  p2  in  the  following  way. 

Algorithm  3.5.6  (Quadratic  Hensel  Lift).  Assume  p  \  q,  hence  r  —  p.  After 
execution  of  Algorithm  3.5.5,  this  algorithm  finds  U\  and  V\  such  that  U\  =  U 
(mod  p),  Vi  =  V  (mod  p),  deg(C/i)  <  deg(Si),  deg(Vi)  <  deg(Ai)  and 

U\A\  +  V\B\  =  1  (mod  pr). 

1.  [Euclidean  division]  Set  g  <—  (1  -  UA\  —  VB\)/p  (mod  r).  Using  Algorithm 
3.1.1  over  the  same  ring  K  =  Z/rZ,  find  t  €  K[X ]  such  that  deg(Vg- Ait)  < 
deg(Ai),  which  is  possible  since  £(Ai)  =  £(A)  is  invertible  in  K. 

2.  [Terminate]  Let  Uq  be  a  lift  of  Ug  +  Bit  to  Z[X ]  having  the  same  degree, 
and  let  Vo  be  a  lift  of  Vg  —  A\t  to  Z[X]  having  the  same  degree.  Output 
U\  <—  U  +  pUo,  V\  <—  V  +  pVo  and  terminate  the  algorithm. 

It  is  not  difficult  to  see  that  at  the  end  of  this  algorithm,  (Ai,  B\,  U\,  V\) 
satisfy  the  same  hypotheses  as  {A,  B,U,V)  in  the  theorem,  with  (p,  q)  replaced 
by  (pr,  qr). 
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The  condition  p  |  q  is  necessary  for  Algorithm  3.5.6  (not  for  Algorithm 
3.5.5),  and  was  forgotten  by  Knuth  (page  628).  Indeed,  if  p  \  q,  G  does  not 
have  integral  coefficients  in  general,  since  after  constructing  A\  and  Bi,  one 
has  only  the  congruence  U Ai+VBi  =  1  (mod  r)  and  not  (mod  p).  Of  course, 
this  only  shows  that  Algorithm  3.5.6  cannot  be  used  in  that  case,  but  it  does 
not  show  that  it  is  impossible  to  find  U\  and  V\  by  some  other  method.  It  is 
however  easy  to  construct  counterexamples.  Take  p  =  33,  q  =  9,  hence  r  =  3, 
and  A(X)  =  X  -  3,  B{X)  =  X  -  4,  C{X)  =  X2  +  2X  +  3,  U(X)  =  1  and 
V(X)  =  —  1.  The  conditions  of  the  theorem  are  satisfied,  and  Algorithm  3.5.5 
gives  us  Ai(X)  =  X—  21  and  Bi(X)  =  X+  23.  Consider  now  the  congruence 
that  we  want,  i.e. 

Ux{X){X  -  21)  +  Vi(X)(X  +  23)  =  1  (mod  99), 
or  equivalently 

Ui{X){X  -  21)  +  ViPO(X  +  23)  =  1  +  99W(X), 

where  all  the  polynomials  involved  have  integral  coefficients.  If  we  set  X  =  21, 
we  obtain  44Vi(21)  =  1  +  991^(21),  hence  0  =  1  (mod  11)  which  is  absurd. 
This  shows  that  even  without  any  restriction  on  the  degrees,  it  is  not  always 
possible  to  lift  p  to  pr  if  p  \  q. 

The  advantage  of  using  both  algorithms  instead  of  one  is  that  we  can 
increase  the  value  of  the  exponent  e  much  faster.  Assume  that  we  start  with 
p  =  q.  Then,  by  using  Algorithm  3.5.5  alone,  we  keep  p  fixed,  and  q  takes 
the  successive  values  p2,  p3,  etc  ....  If  instead  we  use  both  Algorithms  3.5.5 
and  3.5.6,  the  pair  ( p,q )  takes  the  successive  values  (p2,p2),  (p4,p4),  etc  ... 
with  the  exponent  doubling  each  time.  In  principle  this  is  much  more  efficient. 
When  the  exponent  gets  large  however,  the  method  slows  down  because  of  the 
appearance  of  multi-precision  numbers.  Hence,  Knuth  suggests  the  following 
recipe:  let  E  be  the  smallest  power  of  2  such  that  pE  cannot  be  represented 
as  a  single  precision  number,  and  e  be  the  largest  integer  such  that  pe  is  a 
single  precision  number.  He  suggests  working  successively  with  the  following 
pairs  ( p,q ): 

(p,p),  (p2,p2),  (p4,p4),  ...  ,  (pE/2 ,pE/2)  using  both  algorithms,  then 
(pe,pE)  using  both  algorithms  again  but  a  reduced  value  of  the  exponent 
of  p  (since  e  <  E)  and  finally  (pe,pE+e),  (pe,PE+2e),  ( pe,pE+3e ),  ...  using 
only  Algorithm  3.5.5. 

Finally,  note  that  by  induction,  one  can  extend  Algorithms  3.5.5  and  3.5.6 
to  the  case  where  C  is  congruent  to  a  product  of  more  than  2  pairwise  coprime 
polynomials  mod  p. 

3.5.4  Factorization  of  Polynomials  over  Z 

We  now  have  enough  ingredients  to  give  a  reasonably  efficient  method  for 
factoring  polynomials  over  the  integers  as  follows. 
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Algorithm  3.5.7  (Factor  in  Z[X]).  Let  A  6  Z[X)  be  a  non-zero  polynomial. 
This  algorithm  finds  the  complete  factorization  of  A  in  Z[X]. 

1.  [Reduce  to  squarefree  and  primitive]  Set  c  <—  cont(A),  A  <—  Afc,  U  <— 
AJ (A,  A')  where  (A,  A')  is  computed  using  the  sub-resultant  Algorithm  3.3.1, 
or  the  method  of  Section  3.6.1  below.  (Now  U  will  be  a  squarefree  primi¬ 
tive  polynomial.  In  this  step,  we  could  also  use  the  squarefree  decomposition 
Algorithm  3.4.2  to  reduce  still  further  the  degree  of  U). 

2.  [Find  a  squarefree  factorization  mod  p]  For  each  prime  p,  compute  ([/,£/') 
over  the  field  Fp,  and  stop  when  this  GCD  is  equal  to  1.  For  this  p,  using  the 
algorithms  of  Section  3.4,  find  the  complete  factorization  of  U  mod  p  (which 
will  be  squarefree).  Note  that  in  this  squarefree  factorization  it  is  not  necessary 
to  find  each  Aj  from  the  Uj\  we  will  have  Aj  =  Uj  since  T  =  (U,  U ')  =  1. 

3.  [Find  bound]  Using  Theorem  3.5.1,  find  a  bound  B  for  the  coefficients  of 
factors  of  U  of  degree  less  than  or  equal  to  deg(C/)/2.  Choose  e  to  be  the 
smallest  exponent  such  that  pe  >  2 £(U)B. 

4.  [Lift  factorization]  Using  generalizations  of  Algorithms  3.5.5  and  3.5.6,  and  the 
procedure  explained  in  the  preceding  section,  lift  the  factorization  obtained  in 
step  2  to  a  factorization  mod  pe.  (One  will  also  have  to  use  Euclid’s  extended 
Algorithm  3.2.2.)  Let 

U  =  t(U)U1U2...Ur  (mod  pe) 

be  the  factorization  of  U  mod  pe,  where  we  can  assume  the  Ui  to  be  monic. 
Set  d  <—  1. 

5.  [Try  combination]  For  every  combination  of  factors  V  =  . .  .Uid,  where  in 

addition  we  take  id  =  1  if  d  =  ^ r ,  compute  the  unique  polynomial  V  G  Z[X] 
such  that  all  the  coefficients  of  V  are  in  [~\jpe,  \ pe[ ,  and  satisfying  V  =  £(U)V 
(mod  pe)  if  deg(V)  <  |  deg(t/),  V  =  U/V  (mod  pe )  if  deg(F)  >  \  deg(U). 

If  V  divides  £(U)U  in  Z[X\,  output  the  factor  F  =  pp(V),  the  exponent 
of  F  in  A,  set  U  *—  U/F,  and  remove  the  corresponding  Ui  from  the  list  of 
factors  mod  pe  (i.e.  remove  . . .  Uid  and  set  r  <—  r  -  d  if  d  <  \r,  or  leave 
only  these  factors  and  set  r  *—  d  otherwise).  If  d  >  |r  terminate  the  algorithm 
by  outputting  pp (U)  if  deg (U)  >  0. 

6.  Set  d  <—  d  +  1.  If  d  <  go  to  step  5,  otherwise  terminate  the  algorithm  by 
outputting  pp(t/)  if  deg (U)  >  0. 

Implementation  Remarks.  To  decrease  the  necessary  bound  B,  it  is  a  good 
idea  to  reverse  the  coefficients  of  the  polynomial  U  if  |ito|  <  |un|  (where  of 
course  we  have  cast  out  all  powers  of  X  so  that  uq  ^  0).  Then  the  factors  will 
be  the  reverse  of  the  factors  found. 

In  step  5,  before  trying  to  see  whether  V  divides  £(U)U ,  one  should  first 
test  the  divisibility  of  the  constant  terms,  i.e.  whether  V (0)  |  (£(U)U(0)),  since 
this  will  be  rarely  satisfied  in  general. 
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An  important  improvement  can  be  obtained  by  using  the  information 
gained  by  factoring  modulo  a  few  small  primes  as  mentioned  in  the  second 
paragraph  of  Section  3.5.2.  More  precisely,  apply  the  distinct  degree  factor¬ 
ization  Algorithm  3.4.3  to  U  modulo  a  number  of  primes  pk  (Musser  and 
Knuth  suggest  about  5).  If  dj  are  the  degrees  of  the  factors  (it  is  not  neces¬ 
sary  to  obtain  the  factors  themselves)  repeated  with  suitable  multiplicity  (so 
that  Yli  dj  =  7i  =  deg ([/)),  build  a  binary  string  Dk  of  length  n  +  1  which 
represents  the  degrees  of  all  the  possible  factors  mod  Pk  in  the  following  way: 
Set  Dfc  <—  (0 ...  01),  representing  the  set  with  the  unique  element  {0}.  Then, 
for  every  dj  set 

Dk  <—  Dk  V  (Dk  1  dj)  , 

where  V  is  inclusive  “or”,  and  Dk  *1  dj  is  Dk  shifted  left  dj  bits.  (If  desired,  one 
can  work  with  only  the  rightmost  [(n  -P  1) /2]  bits  of  this  string  by  symmetry 
of  the  degrees  of  the  factors.) 

Finally  compute  D  *—  /\Dk,  i.e.  the  logical  “and”  of  the  bit  strings.  If 
the  binary  string  D  has  only  one  bit  at  each  end,  corresponding  to  factors  of 
degree  0  and  n,  this  already  shows  that  U  is  irreducible.  Otherwise,  choose 
for  p  the  pk  giving  the  least  number  of  factors.  Then,  during  the  execution  of 
step  5  of  Algorithm  3.5.7,  keep  only  those  d-uplets  (ii, . . .  ,id)  such  that  the 
bit  number  deg(t/il)  H - h  deg (Uid)  of  D  is  equal  to  1. 

Note  that  the  prime  chosen  to  make  the  Hensel  lift  will  usually  be  small 
(say  less  than  20) ,  hence  in  the  modulo  p  factorization  part,  it  will  probably 
be  faster  to  use  Algorithm  3.4.10  than  Algorithm  3.4.6  for  the  final  splitting. 


3.5.5  uiscussion 

As  one  can  see,  the  problem  of  factoring  over  Z  (or  over  Q,  which  is  essentially 
equivalent)  is  quite  a  difficult  problem,  and  leads  to  an  extremely  complex  al¬ 
gorithm,  where  there  is  a  lot  of  room  for  improvement.  Since  this  algorithm 
uses  factorization  mod  pas  a  sub-algorithm,  it  is  probabilistic  in  nature.  Even 
worse,  the  time  spent  in  step  5  above  can  be  exponential  in  the  degree.  There¬ 
fore,  a  priori,  the  running  time  of  the  above  algorithm  is  exponential  in  the 
degree.  Luckily,  in  practice,  its  average  behavior  is  random  polynomial  time. 
One  should  keep  in  mind  however  that  in  the  worst  case  it  is  exponential  time. 

An  important  fact,  discovered  only  relatively  recently  (1982)  by  Lenstra, 
Lenstra  and  Lovasz  is  that  it  is  possible  to  factor  a  polynomial  over  Z[X]  in 
polynomial  time  using  a  deterministic  algorithm.  This  is  surprising  in  view 
of  the  corresponding  problem  over  Z/pZ[X]  which  should  be  simpler,  and 
for  which  no  such  deterministic  polynomial  time  algorithm  is  known,  at  least 
without  assuming  the  Generalized  Riemann  Hypothesis.  Their  method  uses 
in  a  fundamental  way  the  LLL  algorithm  seen  in  Section  2.6. 

The  problem  with  the  LLL  factoring  method  is  that,  although  in  theory 
it  is  very  nice,  in  practice  it  seems  that  it  is  quite  a  lot  slower  than  the 
algorithm  presented  above.  Therefore  we  will  not  give  it  here,  but  refer  the 
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interested  reader  to  [LLL].  Note  also  that  A.  K.  Lenstra  has  shown  that  similar 
algorithms  exist  over  number  fields,  and  also  for  multivariate  polynomials. 

There  is  however  a  naive  way  to  apply  LLL  which  gives  reasonably  good 
results.  Let  A  be  the  polynomial  to  be  factored,  and  assume  as  one  may,  that  it 
is  squareffee  (but  not  necessarily  primitive).  Then  compute  the  roots  cni  of  A 
in  C  with  high  accuracy  (say  19  decimal  digits)  (for  example  using  Algorithm 
3.6.6  below),  then  apply  Algorithm  2.7.4  to  l,a, ...,afc_1  for  some  k  <  n, 
where  a  is  one  of  the  a*.  Then  if  A  is  not  irreducible,  and  if  the  constant 
N  of  Algorithm  2.7.4  is  suitably  chosen,  a  will  be  a  root  of  a  polynomial  in 
Z[X]  of  some  degree  k  <  n,  and  this  polynomial  will  probably  be  discovered 
by  Algorithm  2.7.4.  Of  course,  the  results  of  Algorithm  2.7.4  may  not  corre¬ 
spond  to  exact  relations,  so  to  be  sure  that  one  has  found  a  factor,  one  must 
algebraically  divide  A  by  its  tentative  divisor. 

Although  this  method  does  not  seem  very  clean  and  rigorous,  it  is  certainly 
the  easiest  to  implement.  Hence,  it  should  perhaps  be  tried  before  any  of 
the  more  sophisticated  methods  above.  In  fact,  in  [LLL],  it  is  shown  how  to 
make  this  method  into  a  completely  rigorous  method.  (They  use  p-adic  factors 
instead  of  complex  roots,  but  the  result  is  the  same.) 


3.6  Additional  Polynomial  Algorithms 

3.6.1  Modular  Methods  for  Computing  GCD’s  in  Z[X] 

Using  methods  inspired  from  the  factoring  methods  over  Z,  one  can  return 
to  the  problem  of  computing  GCD’s  over  the  specific  UFD  Z,  and  obtain 
an  algorithm  which  can  be  faster  than  the  algorithms  that  we  have  already 
seen.  The  idea  is  as  follows.  Let  D  =  (A,B)  in  Z[X],  and  let  Q  =  (A,  B)  in 
FP[X]  where  Q  is  monic.  Then  D  mod  p  is  a  common  divisor  of  A  and  B  in 
FP[X],  hence  D  divides  Q  in  the  ring  Fp  [X],  (We  should  put "  to  distinguish 
polynomials  in  Z[X]  from  polynomials  in  Fp[X],  but  the  language  makes  it 
clear.) 

If  p  does  not  divide  both  t{A)  and  £(B),  then  p  does  not  divide  £(D)  and 
so  deg(D)  <  deg(Q).  If,  for  example,  we  find  that  Q  =  1  in  FP[A],  it  follows 
that  D  is  constant,  hence  that  D  =  (cont(A),cont(J9)).  This  is  in  general 
much  easier  to  check  than  to  use  any  version  of  the  Euclidean  algorithm  over 
a  UFD  (Algorithm  3.3.1  for  example).  Note  also  that,  contrary  to  the  case 
of  integers,  two  random  polynomials  over  Z  are  in  general  coprime.  (In  fact 
a  single  random  polynomial  is  in  general  irreducible.)  In  general  however,  we 
are  in  a  non-random  situation  so  we  must  work  harder.  Assume  without  loss 
of  generality  that  A  and  B  are  primitive. 

So  as  not  to  be  bothered  with  leading  coefficients,  instead  of  D,  we  will 
compute  an  integer  multiple  Di  =  c  •  (A,  B)  such  that 


KDi)  =  (e(A)AB)), 
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(i.e.  with  c  =  £(D)/(£(A),£(B))).  We  can  then  recover  D  =  pp(Z?i)  since  we 
have  assumed  A  and  B  primitive. 

Let  M  be  the  smallest  of  the  bounds  given  by  Theorem  3.5.1  for  the 
two  polynomials  £A  and  £B,  where  £  =  (£(A),£(B)),  and  where  we  limit  the 
degree  of  the  factor  by  deg(Q).  Assume  for  the  moment  that  we  skip  the 
Hensel  step,  i.e.  that  we  take  p  >  2 M  (which  in  any  case  is  the  best  choice  if 
this  leaves  p  in  single  precision).  Compute  the  unique  polynomial  Q\  €  Z[X] 
such  that  Qi  =  £Q  (mod  p)  and  having  all  its  coefficients  in  [—  |p[.  If 

pp(Qi)  is  a  common  divisor  of  A  and  B  (in  Z[X]\),  then  since  D  divides  Q 
mod  p,  it  follows  that  (A,  B )  =  pp(Qi).  If  it  is  not  a  common  divisor,  it  is  not 
difficult  to  see  that  this  will  happen  only  if  p  divides  the  leading  term  of  one 
of  the  intermediate  polynomials  computed  in  the  primitive  form  of  Euclid’s 
algorithm  over  a  UFD  (Algorithm  3.2.10),  hence  this  will  not  occur  often.  If 
this  phenomenon  occurs,  try  again  with  another  prime,  and  it  should  quickly 
work. 

If  M  is  really  large,  then  one  can  use  Hensel-type  methods  to  determine 
Di  mod  pe  for  sufficiently  large  e.  The  techniques  are  completely  analogous 
to  the  ones  given  in  the  preceding  sections  and  are  left  to  the  reader. 

Perhaps  the  best  conclusion  for  this  section  is  to  quote  Knuth  essentially 
verbatim: 

“The  GCD  algorithms  sketched  here  are  significantly  faster  than  those 
of  Sections  3.2  and  3.3  except  when  the  polynomial  remainder  sequence  is 
very  short.  Perhaps  the  best  general  procedure  would  be  to  start  with  the 
computation  of  ( A ,  B)  modulo  a  fairly  small  prime  p,  not  a  divisor  of  both 
£(A)  and  £(B).  If  the  result  Q  is  1,  we  are  done;  if  it  has  high  degree,  we  use 
Algorithm  3.3.1;  otherwise  we  use  one  of  the  above  methods,  first  computing 
a  bound  for  the  coefficients  of  D\  based  on  the  coefficients  of  A  and  B  and 
on  the  (small)  degree  of  Q.  As  in  the  factorization  problem,  we  should  apply 
this  procedure  to  the  reverses  of  A  and  B  and  reverse  the  result,  if  the  trailing 
coefficients  are  simpler  than  the  leading  ones.” 


3.6.2  Factorization  of  Polynomials  over  a  Number  Field 

This  short  section  belongs  naturally  in  this  chapter  but  uses  notions  which 
are  introduced  only  in  Chapter  4,  so  please  read  Chapter  4  first  before  reading 
this  section  if  you  are  not  familiar  with  number  fields. 

In  several  instances,  we  will  need  to  factor  polynomials  not  only  over  Q  but 
also  over  number  fields  K  =  Q(6).  Following  [Poh-Zas],  we  give  an  algorithm 
for  performing  this  task  (see  also  [Tra]). 

Let  A(X)  =  Ylo<i<m  aiXl  E  K[X ]  be  a  non-zero  polynomial.  As  usual, 
we  can  start  by  computing  A/ (A,  A')  so  we  can  transform  it  into  a  squarefree 
polynomial,  since  K[X]  is  a  Euclidean  domain.  On  the  other  hand,  note  that 
it  is  not  always  possible  to  compute  the  content  of  A  since  the  ring  of  integers 
Z k  of  K  is  not  always  a  PID. 
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Call  Oj  the  m  =  [K  :  Q]  embeddings  of  K  into  C.  We  can  extend  aj 
naturally  to  K[X]  by  acting  on  the  coefficients,  and  in  particular  we  can 
define  the  norm  of  A  as  follows 

N(A)=  f]  a,(A), 


and  it  is  clear  by  Galois  theory  that  Af(A)  G  Q[X]. 

We  have  the  following  lemmas.  Note  that  when  we  talk  of  factorizations 
of  polynomials,  it  is  always  up  to  multiplication  by  units  of  K[X],  i.e.  by 
elements  of  K. 

Lemma  3.6.1.  If  A{X)  G  K[X\  is  irreducible  then  J\f(A)(X)  is  equal  to  the 
power  of  an  irreducible  polynomial  o/Q[X]. 

Proof.  Let  A f{A)  =  Nf*  be  a  factorization  of  M{A)  into  irreducible  factors 
in  Q[X].  Since  A  |  N(A)  in  K[X]  and  A  is  irreducible  in  K[X],  we  have  A  |  jV* 
in  K[X]  for  some  i.  But  since  Ni  G  Q[X],  it  follows  that  cry  (A)  |  Ni  for  all  j, 
and  consequently  N(A)  \  N™  in  K[X],  hence  in  Q[X],  so  M{A)  =  N™  for 
some  m'  <  m.  □ 

Lemma  3.6.2.  Let  A  G  K[X ]  be  a  squarefree  polynomial,  where  K  =  Q(0). 
Then  there  exists  only  a  finite  number  of  k  G  Q  such  that  Af(A(X  —  kd))  is 
not  squarefree. 

Proof.  Denote  by  (A,j)i<i<m  the  roots  of  (Jj(A).  If  k  G  Q,  it  is  clear  that 
J\f(A(X  —  kd))  is  not  squarefree  if  and  only  if  there  exists  ii,  *2,  j i,  J2  such 
that 

^^jiid)  =  Pi2,j2  +  ^^'2(^)5 

or  equivalently  k  =  —  Pi2,j2 ) / (&j2 (#)  —  crjr  (&))  and  there  are  only  a  finite 

number  of  such  k.  □ 

The  following  lemma  now  gives  us  the  desired  factorization  of  A  in  K[X], 

Lemma  3.6.3.  Assume  that  A(X)  G  K[X]  and  N(A)(X)  G  Qpf]  are  both 
squarefree.  Let  Af(A)  =  Ni  be  the  factorization  of  Af(A)  into  irre¬ 
ducible  factors  in  Q[Af].  Then  A  =  gcd(i4,  Ni)  is  a  factorization  of  A 

into  irreducible  factors  in  K[X]. 

Proof.  Let  A  =  rii<i</l  Ai  be  the  factorization  of  A  into  irreducible  factors  in 
K[X].  Since  Af(A)  is  squarefree,  N(Ai)  also  hence  by  Lemma  3.6.1  J\f(Ai)  = 
Nj^  for  some  j(i).  Furthermore  since  for  j  ^  i,  J\f(AiAj)  \  N(A)  hence  is 
squarefree,  Af(Ai)  is  coprime  to  M(Af).  So  by  suitable  reordering,  we  obtain 
M(Ai)  =  Ni  and  also  g  =  h.  Finally,  since  for  j  ^  i,  Aj  is  coprime  to  Ni  it 
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follows  that  Ai  =  gcd(A,  JV*)  in  K[X\  (as  usual  up  to  multiplicative  constants), 
and  the  lemma  follows.  □ 

With  these  lemmas,  it  is  now  easy  to  give  an  algorithm  for  the  factorization 
of  AeK[X]. 

Algorithm  3.6.4  (Polynomial  Factorization  over  Number  Fields).  Let  K  = 
Q(9)  be  a  number  field,  T  €  Q[X]  the  minimal  monic  polynomial  of  9.  Let  A(X) 
be  a  non-zero  polynomial  in  K[X).  This  algorithm  finds  a  complete  factorization 
of  A  in  K[X). 

1.  [Reduce  to  squarefree]  Set  U  <—  A/ (A,  A')  where  (A,  A')  is  computed  in  K[X\ 
using  the  sub-resultant  Algorithm  3.3.1.  (Now  U  will  be  a  squarefree  primi¬ 
tive  polynomial.  In  this  step,  we  could  also  use  the  squarefree  decomposition 
Algorithm  3.4.2  to  reduce  still  further  the  degree  of  U). 

2.  [Initialize  search]  Let  U(X)  =  J2o<i<mui^-i  6  K[X]  and  write  Ui  =  gi{6)  for 

some  polynomial  gieQ[X].  Set  G(X,Y)  «-  ]Co<i<m  9i(Y)xi  €  Q[X,Y] 
and  k  <—  0. 

3.  [Search  for  squarefree  norm]  Using  the  sub-resultant  Algorithm  3.3.7  over  the 
UFD  Q[Y],  compute  N(X)  <-  Ry(T(Y),G(X-  kY,Y ))  where  RY  denotes 
the  resultant  with  respect  to  the  variable  Y.  If  N(X)  is  not  squarefree  (tested 
using  Algorithm  3.3.1),  set  k  <—  k  +  1  and  go  to  step  3. 

4.  [Factor  norm]  (Here  N(X)  is  squarefree)  Using  Algorithm  3.5.7,  let  N  <— 
riiCtCg  Ni  be  a  factorization  of  N  in  <Q>[X]. 

5.  [Output  factorization]  For  «  =  1,  set  Ai(X)<—  gcd(C/(X),  iVi(X  +  kd)) 
computed  in  K[X]  using  Algorithm  3.3.1,  output  Ai  and  the  exponent  of  Ai 
in  A  (obtained  simply  by  replacing  A  by  A/Ai  as  long  as  Ai  \  A).  Terminate 
the  algorithm. 

Proof.  The  lemmas  that  we  have  given  above  essentially  prove  the  validity 
of  this  algorithm,  apart  from  the  easily  checked  fact  that  the  sub-resultant 
computed  in  step  3  indeed  gives  the  norm  of  the  polynomial  U.  □ 

Remarks. 

(1)  The  norm  of  U  could  also  be  computed  using  floating  point  approximations 
to  the  roots  of  T,  since  (if  our  polynomials  have  algebraic  integer  coeffi¬ 
cients)  it  will  have  coefficients  in  Z.  This  is  often  faster  than  sub-resultant 
computations,  but  requires  careful  error  bounds. 

(2)  Looking  at  the  proof  of  Lemma  3.6.2,  it  is  also  clear  that  floating  point 
computations  allow  us  to  give  the  list  of  values  of  k  to  avoid  in  step  3,  so 
no  trial  and  error  is  necessary.  However  this  is  not  really  important  since 
step  3  is  in  practice  executed  only  once  or  twice. 

(3)  The  factors  that  we  have  found  are  not  necessarily  in  Z k[X),  and,  as 
already  mentioned,  factoring  in  Z k[X]  requires  a  little  extra  work  since 
liK  is  not  necessarily  a  PID. 


146 


3  Algorithms  on  Polynomials 


3.6.3  A  Root  Finding  Algorithm  over  C 

In  many  situations,  it  is  useful  to  compute  explicitly,  to  some  desired  approx¬ 
imation,  all  the  complex  roots  of  a  polynomial.  There  exist  many  methods 
for  doing  this.  It  is  a  difficult  problem  of  numerical  analysis  and  it  is  not  my 
intention  to  give  a  complete  description  here,  or  even  to  give  a  description  of 
the  “best”  method  if  there  is  one  such.  I  want  to  give  one  reasonably  sim¬ 
ple  algorithm  which  works  most  of  the  time  quite  well,  although  it  may  fail 
in  some  situations.  In  practice,  it  is  quite  sufficient,  especially  if  one  uses  a 
multi-precision  package  which  allows  you  to  increase  the  precision  in  case  of 
failure. 

This  method  is  based  on  the  following  proposition. 


Proposition  3.6.5.  If  P(X )  €  C[X]  and  x  €  C,  then  if  P(x)  /  0  and 
P'{x )  7^  0  there  exists  a  positive  real  number  A  such  that 


P 


x  —  X 


P{x) 

P'{x) 


<  \P(x)\. 


Proof  Trivial  by  Taylor’s  theorem.  In  fact,  this  proposition  is  valid  for  any 
analytic  function  in  the  neighborhood  of  x,  and  not  only  for  polynomials.  □ 

Note  also  that  as  soon  as  x  is  sufficiently  close  to  a  simple  root  of  P,  we 
can  take  A  =  1,  and  then  the  formula  is  nothing  but  Newton’s  formula,  and 
as  usual  the  speed  of  convergence  is  quadratic. 

This  leads  to  the  following  algorithm,  which  I  call  Newton’s  modified  al¬ 
gorithm.  Since  we  will  be  using  this  algorithm  for  irreducible  polynomials  over 
Q,  we  can  assume  that  the  polynomial  we  are  dealing  with  is  at  least  square- 
free.  The  modifications  necessary  to  handle  the  general  case  are  easy  and  left 
to  the  reader. 

Algorithm  3.6.6  (Complex  Roots).  Given  a  squarefree  polynomial  P,  this 
algorithm  outputs  its  complex  roots  (in  a  random  order).  In  quite  rare  cases  the 
algorithm  may  fail.  On  the  other  hand  it  is  absolutely  necessary  that  the  polynomial 
be  squarefree  (this  can  be  achieved  by  replacing  P  by  P/(P,  P')). 

1.  [Initializations]  Set  Q  <—  P,  compute  P',  set  Q'  <—  P',  and  set  n  <—  deg(P). 
Finally,  set  /  <—  1  if  P  has  real  coefficients,  otherwise  set  f  *—  0. 

2.  [Initialize  root  finding]  Set  x  <—  1.3  4-  0.314159?,  v  <—  Q(x)  and  m  <—  \v\2. 

3.  [Initialize  recursion]  Set  c  <—  0  and  dx  <—  v/Q'(x).  If  \dx\  is  smaller  than  the 
desired  absolute  accuracy,  go  to  step  5. 

4.  [Try  a  A]  Set  y  <—  x  —  dx,  Vi  <—  Q(y)  and  mi  <—  |iq|2.  If  mi  <  m,  set  x  <—  y, 
v  < —  Vi,  m  < —  mi  and  go  to  step  3.  Otherwise,  set  c  <—  c  +  1,  dx  <—  dxj 4. 
If  c  <  20  go  to  step  4,  otherwise  output  an  error  message  saying  that  the 
algorithm  has  failed. 
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5.  [Polish  root]  Set  x  <—  x  —  P{x)/P'{x)  twice. 

6.  [Divide]  If  /  =  0  or  if  /  =  1  and  the  absolute  value  of  the  imaginary  part  of 
x  is  less  than  the  required  accuracy,  set  it  equal  to  0,  output  x,  set  Q(X)  *— 
Q{X)/{X  -  x)  and  n  <—  n  -  1.  Otherwise,  output  x  and  x,  set  Q{X)  <— 
Q(X)/(X2  —  2Re(a;)X  +  |rc|2)  and  n  <—  n  —  2.  Finally,  if  n  >  0  then  go  to 
step  2,  otherwise  terminate  the  algorithm. 


Remarks. 

(1)  The  starting  value  1.3  +  0.314159?  given  in  step  2  is  quite  arbitrary.  It  has 
been  chosen  so  as  not  to  be  too  close  to  a  trivial  algebraic  number,  and 
not  too  far  from  the  real  axis,  although  not  exactly  on  it. 

(2)  The  value  20  taken  in  step  4,  as  well  as  the  division  by  4,  are  also  arbitrary 
but  correspond  to  realistic  situations.  If  we  find  m,\  >  m,  this  means  that 
we  are  quite  far  away  from  the  “attraction  zone”  of  a  root.  Hence,  thanks 
to  Proposition  3.6.5,  it  is  preferable  to  divide  the  increment  by  4  and  not 
by  2  for  example,  so  as  to  have  a  much  higher  chance  of  winning  next 
time.  Similarly,  the  limitation  of  20  correspond  to  an  increment  which 
is  420  ~  1012  times  smaller  than  the  Newton  increment,  and  this  is  in 
general  too  small  to  make  any  difference.  In  that  case,  it  will  be  necessary 
to  increase  the  working  precision. 

(3)  After  each  division  done  in  step  6,  the  quality  of  the  coefficients  of  Q  will 
deteriorate.  Hence,  after  finding  an  approximate  root,  it  is  essential  to 
polish  it,  using  for  example  the  standard  Newton  iteration,  but  with  the 
polynomial  P  and  not  Q.  It  is  not  necessary  to  use  a  factor  A  since  we  are 
in  principle  well  inside  the  attraction  zone  of  a  root.  Two  polishing  passes 
will,  in  principle,  be  enough. 

(4)  The  divisions  in  step  6  are  simple  to  perform.  If  Q{X)  =  ]Co <i<n 

and  A(X)  =  X)o<i<n-i =  Q(X)/{X  ~  x)>  then  set  a„_i  <—  qn  and 
for  i  =  n  —  1,  ...,?  =  1  set  aj_i  <—  qi  +  xai.  Similarly,  if  B(X)  = 
X)o<i<n— 2  biXl  =  Q(X)/{X2  -  aX  +  /3),  then  set  6„_2  <-  qn ,  &n-3  <- 
qn- 1  +  ocbn~ 2  and  for  i  =  n  —  2,  ...,?  =  2  set  &i_2  <—  qi  +  a&i-i  -  fibi . 

(5)  Instead  of  starting  with  A  =  1  as  coefficient  of  Q(x)/Q'(x)  in  step  3,  it 
may  be  better  to  start  with 


A  =  min 


jow_\ 

’  |Q(x)||C?"(x)|/ 


This  value  is  obtained  by  looking  at  the  error  term  in  the  Taylor  expansion 
proof  of  Proposition  3.6.5.  If  this  value  is  too  small,  then  we  are  probably 
going  to  fail,  and  in  fact  x  is  converging  to  a  root  of  Q'(X)  instead  of 
Q(X).  If  this  is  detected,  the  best  solution  is  probably  to  start  again  in 
step  2  with  a  different  starting  value.  This  of  course  can  also  be  done  when 
c  =  20  in  step  4.  We  must  however  beware  of  doing  this  too  systematically, 
for  failure  may  indicate  that  the  coefficients  of  the  polynomial  P  are  ill 
conditioned,  and  in  that  case  the  best  remedy  is  to  modify  the  coefficients 
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of  P  by  a  suitable  change  of  variable  (typically  of  the  form  X  *->  aX ).  It 
must  be  kept  in  mind  that  for  ill  conditioned  polynomials,  a  very  small 
variation  of  a  coefficient  can  have  a  drastic  effect  on  the  roots. 

(6)  In  step  6,  instead  going  back  to  step  2  if  n  >  0,  we  can  go  back  only 
if  n  >  2,  and  treat  the  cases  n  =  1  and  n  =  2  by  using  the  standard 
formulas.  Care  must  then  be  taken  to  polish  the  roots  thus  obtained,  as 
is  done  in  step  5. 


3.7  Exercises  for  Chapter  3 

1.  Write  an  algorithm  for  multiplying  two  polynomials,  implicitly  based  on  a  re¬ 
cursive  use  of  the  splitting  formulas  explained  in  Section  3.1.2. 

2.  Let  P  be  a  polynomial.  Write  an  algorithm  which  computes  the  coefficients  of 
the  polynomial  P(X  +  1)  without  using  an  auxiliary  array  or  polynomial. 

3.  Let  K  be  a  commutative  ring  which  is  not  necessarily  a  field.  It  has  been  men¬ 
tioned  after  Algorithm  3.1.1  that  the  Euclidean  division  of  A  by  B  is  still  possible 
in  K[X }  if  the  leading  coefficient  1{B)  is  invertible  in  K.  Write  an  algorithm  per¬ 
forming  this  Euclidean  division  after  multiplying  A  and  B  by  the  inverse  of  £(B), 
and  compare  the  performance  of  this  algorithm  with  the  direct  use  of  Algorithm 
3.1.1  in  the  case  K  =  'Ljr'L. 

4.  Modify  Algorithm  3.3.1  so  that  A  and  B  are  divided  by  their  respective  contents 
every  10  iterations.  Experiment  and  convince  yourself  that  this  modification 
leads  to  polynomials  A  and  B  having  much  larger  coefficients  later  on  in  the 
Algorithm,  hence  that  this  is  a  bad  idea. 

5.  Write  an  extended  version  of  Algorithm  3.3.1  which  computes  not  only  ( A,B ) 
but  also  U  and  V  such  that  AU  +  BV  =  r  •  (A,  B)  where  r  is  a  non-zero  constant 
(Hint:  add  a  fourth  variable  in  Algorithm  1.3.6  to  take  care  of  r).  Show  that 
when  (A,  B)  =  1  this  can  always  be  done  with  r  equal  to  the  resultant  of  A  and 
B. 

6.  Show  that  if  A,  B  and  C  are  irreducible  polynomials  over  a  UFD  R  and  if  C 
divides  AB  but  is  not  a  unit  multiple  of  A,  then  C  divides  B  (Hint:  use  the 
preceding  exercise).  Deduce  from  this  that  R[X\  is  a  UFD. 

7.  Using  for  example  the  sub-resultant  algorithm,  compute  explicitly  the  discrim¬ 
inant  of  the  trinomials  X3  +  aX  +  b  and  X 4  4-  aX  +  b.  Try  to  find  the  general 
formula  for  the  discriminant  of  Xn  +  aX  +  b. 

8.  Call  Ri  the  i-th  row  of  Sylvester’s  determinant,  for  1  <  i  <n  +  m.  Show  that  if 
we  replace  for  all  1  <  i  <  n  simultaneously  Ri  by 


i  — 1 

]^( bkRi-k 

k—Q 


O'kRi+m—k ) 


and  then  suppress  the  last  m  rows  and  columns  of  the  resulting  matrix,  the  nxn 
determinant  thus  obtained  is  equal  to  the  determinant  of  Sylvester’s  matrix. 
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9.  If  Q(X )  =  ( X  —  a)P(X),  compute  the  discriminant  of  Q  in  terms  of  a  and  of 
the  discriminant  of  P. 

10.  Show  how  to  modify  the  sub-resultant  Algorithm  3.3.7  so  that  it  can  compute 
correctly  when  the  coefficients  of  the  polynomials  are  for  example  polynomials 
(in  another  variable)  with  real  coefficients. 

11.  Show  the  following  result,  due  to  Eisenstein:  if  p  is  prime  and  A(X)  = 
X)0 <i<nai^1  ls  a  polynomial  in  Z[X]  such  that  p  \  an,  p  \  a>i  for  all  i  <  n 
and  p2  \  ao,  then  A  is  irreducible  in  Z[X]. 

12.  Using  the  ideas  of  Section  3.4,  write  an  algorithm  to  compute  the  square  root 
of  a  mod  p ,  or  to  determine  whether  none  exist.  Implement  your  algorithm  and 
compare  it  with  Shanks’s  Algorithm  1.5.1. 

13.  Using  the  Mobius  inversion  formula  (see  [H-W]  Section  16.4)  show  that  the 
number  of  monic  irreducible  polynomials  of  degree  n  over  Fp  is  equal  to 

sEKsy 

d\n 

where  p(n)  is  the  Mobius  function  (i.e.  0  if  n  is  not  squarefree,  and  equal  to 
(— l)fcifnisa  product  of  k  distinct  prime  factors). 

14.  Extend  Proposition  3.4.7  and  Algorithm  3.4.8  to  general  prime  numbers  p,  using 

UP(X)  =  X  +  Xp  4 - 1-  Xp  .  Compare  in  practice  the  expected  speed  of  the 

resulting  algorithm  to  that  of  Algorithm  3.4.6. 

15.  Show  that,  as  claimed  in  the  proof  of  Algorithm  3.4.8,  the  polynomial  U  has 
exactly  2d~ 1  roots  in  F2a. 

16.  Generalizing  the  methods  of  Section  3.4,  write  an  algorithm  to  factor  polyno¬ 
mials  in  Fg[X],  where  q  =  pa  and  Fq  is  given  by  an  irreducible  polynomial  of 
degree  d  in  FP[X]. 

17.  Let  B(X)  €  Fp  [A]  be  a  squarefree  polynomial  with  r  distinct  irreducible  factors. 
Show  that  if  T(X)  is  a  polynomial  corresponding  to  a  randomly  chosen  element 
of  the  kernel  obtained  in  step  2  of  Algorithm  3.4.10  and  if  p  >  3,  the  probability 
that  (B(X),  T(X)^P-1^2  —  1)  gives  a  non-trivial  factor  of  B  is  greater  than  or 
equal  to  4/9. 

18.  Let  K  be  any  field,  a  €  K  and  p  a  prime  number.  Show  that  the  polynomial 
Xp  —  a  is  reducible  in  K[X]  if  and  only  if  it  has  a  root  in  K.  Generalize  to  the 
polynomials  Xp  —  a. 

19.  Let  p  be  an  odd  prime  and  q  a  prime  divisor  of  p—  1.  Let  a  €  Z  be  a  primitive  root 
modulo  p.  Using  the  preceding  exercise,  show  that  for  any  k  >  1  the  polynomial 

Xq  +pXk  -a 

is  irreducible  in  Q[X] . 

20.  Let  p  and  q  be  two  odd  prime  numbers.  We  assume  that  q  =  2  (mod  3)  and 
that  p  is  a  primitive  root  modulo  q  (i.e.  that  p  mod  q  generates  ( Z/qZ )*).  Show 
that  the  polynomial 


Xq+1  -X+p 
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is  irreducible  in  Q[X].  (Hint:  reduce  mod  p  and  mod  2.) 

21.  Separating  even  and  odd  powers,  any  polynomial  A  can  be  written  in  the  form 
A(X)  =  A0(X2)  +  XAx(X2).  Set  r(A)(X)  =  Aq{X)2  -  X Ax{X)2 .  With  the 
notations  of  Theorem  3.5.1,  show  that  for  any  k 

NS(n71)iT‘(A)i,/a‘+(":0iG"i' 

What  is  the  behavior  of  the  sequence  |Tfc(A)|1^2fc  as  k  increases? 

22.  In  Algorithms  3.5.5  and  3.5.6,  assume  that  p  =  q,  that  A  and  B  are  monic,  and 
set  D  =  AU,DX=AXUX,E  =  BV,  Ex  =  BXVX.  Denote  by  ( C,p 2)  the  ideal  of 
Z[X]  generated  by  C(X)  and  p2 .  Show  that 

Dx  =  3D2  -  2D 3  (mod  (C,p2))  and  Ex  =  3 E2  -  2 E3  (mod  (C,p2)). 

Then  show  that  Ax  (resp.  Bx)  is  the  monic  polynomial  of  the  lowest  degree  such 
that  EXAX  =  0  (mod  (C,p2))  (resp.  DXBX  =0  (mod  (C^))). 

23.  Write  a  general  algorithm  for  finding  all  the  roots  of  a  polynomial  in  Qp  to  a 
given  p-adic  precision,  using  Hensel’s  lemma.  Note  that  multiple  roots  at  the 
mod  p  level  create  special  problems  which  have  to  be  treated  in  detail. 

24.  Denote  by  (  ,  )p  the  GCD  taken  over  Fp [A],  Following  Weinberger,  Knuth 
asserts  that  if  A  €  Z[X]  is  a  product  of  exactly  k  irreducible  factors  in  Z[X] 
(not  counting  multiplicity)  then 

LP<,<leg(XP-X,A(X))p 

lim  — — - ^ - =  k . 

*->0°  2^p<r  1 

Explore  this  formula  as  a  heuristic  method  for  determining  the  irreducibility  of 
a  polynomial  over  Z. 

25.  Find  the  complete  decomposition  into  irreducible  factors  of  the  polynomial  X4  + 
1  modulo  every  prime  p  using  the  quadratic  reciprocity  law  and  the  identities 
given  in  Section  3.5.2. 

26.  Discuss  the  possibility  of  computing  polynomial  GCD’s  over  Z  by  computing 
GCD’s  of  values  of  the  polynomials  at  suitable  points,  (see  [Schon]). 

27.  Using  the  ideas  of  Section  3.4.2,  modify  the  root  finding  Algorithm  3.6.6  so  that 
it  finds  the  roots  of  a  any  polynomial,  squarefree  or  not,  with  their  order  of 
multiplicity.  For  this  question  to  make  practical  sense,  you  can  assume  that  the 
polynomial  has  integer  coefficients. 

28.  Let  P(X)  =  X3  +  aX2  +  bX  +  c  €  R[X]  be  a  monic  squarefree  polynomial.  Let 
0i  (1  <  i  <  3)  be  the  roots  of  P  in  C  and  let 

ocx  =  (<?i  +  p2d 2  +  pOi)3 ,  <*2  =  (0i  +  p0 2  +p203)3  • 

Let  A(X)  =  (X-  ax)(X-  a2). 

a)  Compute  explicitly  the  coefficients  of  A(X ). 
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b)  Show  that  — 27disc(P)  =  disc(A),  and  give  an  expression  for  this 
discriminant. 

c)  Show  how  to  compute  the  roots  of  P  knowing  the  roots  of  A. 

29.  Let  P(X )  =  X4  +  aX3  +  bX2  +cX  +  d  €  R[X]  be  a  monic  squarefree  polynomial. 
Let  6i  (1  <  i  <  4)  be  the  roots  of  P  in  C,  and  let 

0:1  =  (01  +  02) (03  +  04)  OC2  =  (01  +  0z)(02  +  04)  0:3  =  (01  +  04)(02  +  03)  > 

and 

01  =  0102  +  0304  02  =  0103  +  0204  03  —  0104  +  0203  • 

Finally,  let  A(X)  =  (X  -  ai)(X  -  a2)(X  -  a3)  and  B(X)  =  (X  -  0i)(X  - 
02)(X  -  03). 

a)  Compute  explicitly  the  coefficients  of  A(X)  and  B(X)  in  terms  of  those 
of  P(X). 

b)  Show  that  disc(P)  =  disc  (A)  =  disc(P),  and  give  an  expression  for  this 
discriminant. 

c)  Show  how  to  compute  the  roots  of  P  knowing  the  roots  of  A. 

30.  Recall  that  the  first  case  of  Fermat’s  last  “theorem”  (FLT)  states  that  if  l  is  an 
odd  prime,  then  xl+yl  +  zl  =0  implies  that  1 1  xyz.  Using  elementary  arguments 
(i.e.  no  algebraic  number  theory),  it  is  not  too  difficult  to  prove  the  following 
theorem,  essentially  due  to  Sophie  Germain. 

Theorem  3.7.1.  Let  l  be  an  odd  prime,  and  assume  that  there  exists  an  integer 
k  such  that  k  =  ±2  (mod  6),  p  =  Ik  +  1  is  prime  and  p  \  (kk  —  1  )Wk  where  Wk 
is  the  resultant  of  the  polynomials  Xk  —  1  and  (X  +  l)fc  —  1.  Then  the  first  case 
of  FLT  is  true  for  the  exponent  l. 

It  is  therefore  important  to  compute  Wk  and  in  particular  its  prime  factors.  Give 
several  algorithms  for  doing  this,  and  compare  their  efficiency.  Some  familiarity 
with  number  fields  and  in  particular  with  cyclotomic  fields  is  needed  here. 

31.  Let  A(X)  =  anXn  -f  •  •  •  +  aiX  +  ao  be  a  polynomial,  with  an  ^  0.  Show  that 
for  any  positive  integer  k, 


disc(A(Xfc))  =  (— l)nfc(fc+3)/2rfc(anao)fc_1disc(A)fc. 


Chapter  4 

Algorithms  for  Algebraic  Number  Theory  I 


In  this  chapter,  we  give  the  necessary  background  on  algebraic  numbers,  num¬ 
ber  fields,  modules,  ideals  and  units,  and  corresponding  algorithms  for  them. 
Excellent  basic  textbooks  on  these  subjects  are,  for  example  [Bo-Sh],  [Cas-Fro], 
[Cohn],  [Ire-Ros],  [Marc],  [Sam].  However,  they  usually  have  little  algorithmic 
flavor.  We  will  give  proofs  only  when  they  help  to  understand  an  algorithm, 
and  we  urge  the  reader  to  refer  to  the  above  textbooks  for  the  proofs  which 
are  not  given. 


4.1  Algebraic  Numbers  and  Number  Fields 

4.1.1  Basic  Definitions  and  Properties  of  Algebraic  Numbers 


Definition  4.1.1.  Let  a  G  C.  Then  a  is  called  an  algebraic  number  if  there 
exists  A  G  Tj[X]  such  that  A(a)  =  0,  and  A  not  identically  zero.  The  number 
a  is  called  an  algebraic  integer  if  in  addition,  one  can  choose  A  to  be  monic 
( i.e .  with  leading  coefficient  equal  to  1). 

Then  we  have: 

Proposition  4.1.2.  Let  a  be  an  algebraic  number,  and  let  A  be  a  polynomial 
with  integer  coefficients  such  that  A(a)  —  0,  and  assume  that  A  is  chosen  to 
have  the  smallest  degree  and  be  primitive  with  t{A)  >  0.  Then  such  an  A  is 
unique,  is  irreducible  in  Q[X],  and  any  B  G  Z[X]  such  that  B(a)  =  0  is  a 
multiple  of  A. 

Proof.  The  ring  Q[X]  is  a  principal  ideal  domain  (PID),  and  the  set  of  B  G 
Q[X]  such  that  B(a)  —  0  is  an  ideal,  hence  is  the  ideal  generated  by  A.  If,  in 
addition,  B  has  integral  coefficients,  Gauss’s  lemma  (Theorem  3.2.8)  implies 
that  B  is  a  multiple  of  A  in  Z[X].  It  is  clear  that  A  is  irreducible;  otherwise  A 
would  not  be  of  smallest  degree.  We  will  call  this  A  the  minimal  polynomial 
of  a.  □ 

We  will  use  the  notation  Q  for  the  set  of  algebraic  numbers,  (hence  QcC), 
Zq  for  the  set  of  algebraic  integers,  and  if  L  is  any  subset  of  C  we  will  set 
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—  Zq  n  L , 

and  call  it  the  set  of  integers  of  L.  Note  that  Q  is  an  algebraic  closure  of  Q. 

For  example,  we  have  Zq  =  Z.  Indeed,  if  a  =  p/q  €  Q  is  a  root  of  A  G  Z[X] 
with  A  monic,  we  must  have  q  |  1{A ),  hence  q  =  ±1  so  a  is  in  Z. 

The  first  important  result  about  algebraic  numbers  is  as  follows: 

Theorem  4.1.3.  Let  a  £  C.  The  following  four  statements  are  equivalent. 

(1)  a  is  an  algebraic  integer. 

(2)  Z[c*]  is  a  finitely  generated  additive  Abelian  group. 

(3)  a:  belongs  to  a  subring  ofC  which  is  finitely  generated  as  an  Abelian  group. 

(4)  There  exists  a  non-zero  finitely  generated  additive  subgroup  L  of  C  such 
that  aL  c  L. 

As  corollaries  we  have: 

Corollary  4.1.4.  The  set  of  algebraic  integers  is  a  ring.  In  particular,  if  R 
is  a  ring,  the  set  Z^  of  integers  of  R  is  a  ring. 

Corollary  4.1.5.  If  a  G  C  is  a  root  of  a  monic  polynomial  whose  coefficients 
are  algebraic  integers  (and  not  simply  integers),  then  a  is  an  algebraic  integer. 

Definition  4.1.6.  Let  a  €  C  be  an  algebraic  number,  and  A  its  minimal 
polynomial.  The  conjugates  of  a  are  all  the  deg(A)  roots  of  A  in  C. 

This  notion  of  conjugacy  is  of  course  of  fundamental  importance,  but 
what  I  would  like  to  stress  here  is  that  from  an  algebraic  point  of  view  the 
conjugates  are  indistinguishable.  For  example,  any  algebraic  identity  between 
algebraic  numbers  is  a  simultaneous  collection  of  conjugate  identities.  To  give 
a  trivial  example,  the  identity  (1  +  V%)2  —  3  4-  2\/2  implies  the  identity 
(1— \/2)2  =  3— 2a/2.  This  remark  is  a  generalization  of  the  fact  that  an  equality 
between  two  complex  numbers  implies  the  equality  between  their  conjugates, 
or  equivalently  between  their  real  and  imaginary  parts.  The  present  example  is 
even  more  striking  if  one  looks  at  it  from  a  numerical  point  of  view:  it  says  that 
the  identity  (2.41421 . . .  )2  =  5.828427 . . .  implies  the  identity  (0.41421 . . .  )2  = 
0.171573 ....  Of  course  this  is  not  the  correct  way  to  look  at  it,  but  the  lesson 
to  be  remembered  is  that  an  algebraic  number  always  comes  with  all  of  its 
conjugates. 

4.1.2  Number  Fields 

Definition  4.1.7.  A  number  field  is  a  field  containing  Q  which,  considered 
as  a  Q-vector  space,  is  finite  dimensional.  The  number  d  =  dimQ  K  is  denoted 
by  \K  :  Q]  and  called  the  degree  of  the  number  field  K . 
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We  recall  the  following  fundamental  results  about  number  fields: 

Theorem  4.1.8.  Let  K  be  a  number  field  of  degree  n.  Then 

(1)  (Primitive  element  theorem)  There  exists  a  6  e  K  such  that 

K  =  Q{6). 

Such  a  $  is  called  a  primitive  element.  Its  minimal  polynomial  is  an  irre¬ 
ducible  polynomial  of  degree  n. 

(2)  There  exist  exactly  n  field  embeddings  of  K  in  C,  given  by  6  9i,  where 

the  6i  are  the  roots  in  C  of  the  minimal  polynomial  of  6.  These  embeddings 
are  Q-linear,  their  images  Ki  in  C  are  called  the  conjugate  fields  of  K, 
and  the  Ki  are  isomorphic  to  K. 

(3)  For  any  i,  Ki  C  Q,  in  other  words  all  the  elements  of  Ki  are  algebraic 
numbers  and  their  degree  divides  n. 


The  assertion  made  above  concerning  the  indistinguishability  of  the  con¬ 
jugates  can  be  clearly  seen  here.  The  choice  of  the  conjugate  field  Ki  is  a 
priori  completely  arbitrary.  In  many  cases,  this  choice  is  already  given.  For 
example,  when  we  speak  of  “the  number  field  Q(21/3)”,  this  is  slightly  incor¬ 
rect,  since  what  we  mean  by  this  is  that  we  are  considering  the  number  field 
K  =  Q[X]/(X3  —  2)Q[X]  together  with  the  embedding  X  21//3  of  K  into 


Definition  4.1.9.  The  signature  of  a  number  field  is  the  pair  (ri,r2)  where 
r\  is  the  number  of  embeddings  of  K  whose  image  lie  in  R,  and  2r2  is  the 
number  of  non-real  complex  embeddings,  so  that  r\  +  2r*2  =  n  ( note  that  the 
non-real  embeddings  always  come  in  pairs  since  if  a  is  such  an  embedding,  so 
is  a,  where  ~  denotes  complex  conjugation).  If  T  is  an  irreducible  polynomial 
defining  the  number  field  K  by  one  of  its  roots,  the  signature  of  K  will  also  be 
called  the  signature  ofT.  Here  r\  (resp.  2r% )  will  be  the  number  of  real  (resp. 
non-real)  roots  ofT  in  C.  When  r2  =  0  (resp.  r\  =  0)  we  will  say  that  K  and 
T  are  totally  real  (resp.  totally  complex/ 

It  is  not  difficult  to  determine  the  signature  of  a  number  field  K,  but  some 
ways  are  better  than  others.  If  K  =  Q(0),  and  if  T  is  the  minimal  polynomial 
of  6,  we  can  of  course  compute  the  roots  of  T  in  C  using,  for  instance,  the  root 
finding  Algorithm  3.6.6,  and  count  the  number  of  real  roots.  This  is  however 
quite  expensive.  A  much  better  way  is  to  use  a  theorem  of  Sturm  which  tells  us 
in  essence  that  the  sequence  of  leading  coefficients  in  the  polynomial  remainder 
sequence  obtained  by  applying  Euclid’s  algorithm  or  its  variants  to  T  and  T' 
governs  the  signature.  More  precisely,  we  have  the  following  theorem. 

Theorem  4.1.10  (Sturm).  Let  T  be  a  squarefree  polynomial  with  real  coeffi¬ 
cients.  Assume  that  Ao  =  T,  A\  =  T' ,  and  that  Ai  is  a  polynomial  remainder 
sequence  such  that  for  all  i  with  1  <  i  <  k: 
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i  QiAi  fiAi+i, 

where  the  ei  and  fi  are  real  and  positive,  and  Ak+\  is  a  constant  polynomial 
(non-zero  since  T  is  squarefree).  Set  ^  and  di  =  deg(Aj).  Then,  if  s 

is  the  number  of  sign  changes  in  the  sequence  £q,  l\,  ...  ,  ik+\,  and  ift  is  the 
number  of  sign  changes  in  the  sequence  (—  l)d°^o>  ( — l)dl^i,  . . . ,  (—  l)dk+1£k+i, 
the  number  of  real  roots  ofT  is  equal  to  t  —  s. 

Proof.  For  any  real  a,  let  s(a)  be  the  number  of  sign  changes,  not  count¬ 
ing  zeros,  in  the  sequence  Ao(a),  A\(a),  ...  ,  Afc+i(a).  We  clearly  have 
lima_,+00  s(a)  =  s  and  lima_,_oo  s(a)  =  t.  We  are  going  to  prove  the  fol¬ 
lowing  more  general  assertion:  the  number  of  roots  of  T  in  the  interval  ]a,b] 
is  equal  to  s(a)  —  s(b),  which  clearly  implies  the  assertion  of  the  theorem. 

First,  it  is  clear  that  a  sign  sequence  at  any  number  a  cannot  have  two 
consecutive  zeros,  otherwise  these  zeros  would  propagate  and  we  would  have 
Ak+i  =  0.  For  similar  reasons,  we  cannot  have  sequences  of  the  form  +,  0, 
+,  or  of  the  form  — ,  0,  —  since  the  ei  and  fi  are  positive.  Now  the  desired 
formula  s(a)  —  s(b)  is  certainly  valid  if  b  =  a.  We  will  see  that  it  stays  true 
when  b  increases.  The  quantity  s(b)  can  change  only  when  b  goes  through  one 
of  the  roots  of  the  Ai,  which  are  finite  in  number.  Let  x  be  a  root  of  such  an 
Ai  (maybe  of  several).  If  e  is  sufficiently  small,  when  b  goes  from  x  —  etox,  the 
sign  sequence  corresponding  to  indices  i  —  l,i  and  i  + 1  goes  from  +  ,  ±,  —  to 
+,  0,  —  (or  from  — ,  ±,  +  to  — ,  0,  +)  when  *  >  1  by  what  has  been  said  above 
(no  consecutive  zeros,  and  no  sequences  +,  0,  +  or  — ,  0,  — ).  Hence,  there  is 
no  difference  in  the  number  of  sign  changes  not  counting  zeros  if  *  >  1.  On 
the  other  hand,  for  i  =  0,  the  sign  sequence  corresponding  to  indices  0  and  1 
1  goes  from  +,—  to  0,  —  ,  or  from  — ,+  to  0,+  since  Ai(6)<0  if  and  only  if  A$ 
is  decreasing  (recall  that  A\  is  the  derivative  of  Aq).  Hence,  the  net  change 
in  s{b)  is  equal  to  —1.  This  proves  our  claim  and  the  theorem.  □ 

From  this,  it  is  easy  to  derive  an  algorithm  for  computing  the  signature 
of  a  polynomial  (hence  of  a  number  field).  Such  an  algorithm  can  of  course 
be  written  for  any  polynomial  T  €  R[X],  but  for  number-theoretic  uses  T 
will  have  integer  coefficients,  hence  we  should  use  the  polynomial  remainder 
sequence  given  by  the  sub-resultant  Algorithm  3.3.1  to  avoid  coefficient  ex¬ 
plosion.  This  leads  to  the  following  algorithm. 

Algorithm  4.1.11  (Sturm).  Given  a  polynomial  T  G  Z[X],  this  algorithm 
determines  the  signature  (ri,  7*2)  of  T  using  Sturm’s  theorem  and  the  sub-resultant 
Algorithm  3.3.1.  If  T  is  not  squarefree,  it  outputs  an  error  message. 

1.  [Initializations  and  reductions]  If  deg (T)  =  0,  output  (0,0)  and  terminate. 
Otherwise,  set  A  <—  pp(T),  B  <—  pp(T'),  g  <—  1,  h  <—  1,  s  <—  sign(^(A)), 
n  <—  deg(A),  t  <—  (— l)n-1s,  rq  <—  1. 

2.  [Pseudo  division]  Set  6  <—  deg(A)  —  deg(H).  Using  Algorithm  3.1.2,  compute 
R  such  that  £(B)6+1  A  =  BQ  +R.  If  R  =  0  then  T  was  not  squarefree,  output 
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an  error  message  and  terminate  the  algorithm.  Otherwise,  if  £(B)>0  or  6  is 
odd,  set  R  * - R. 

3.  [Use  Sturm]  If  sign(£(i?))  ^  s,  set  s  < - s,  r\  <—  r\  —  l.  Then,  if  sign(^(i?))  ^ 

(_l)deg(-R )tt  set  t  < - 1,  r\  <—  r\  +  1. 

4.  [Finished?]  If  deg(i?)  =  0,  output  (ri,  (n— ri)/2)  and  terminate  the  algorithm. 
Otherwise,  set  A  <—  B,  B  <—  R((gh6),  g  <—  |^(-A)|,  h  <—  h1~6g6,  and  go  to 
step  2. 


Another  important  notion  concerning  number  fields  is  that  of  the  Galois 
group  of  a  number  field.  From  now  on,  we  assume  that  all  our  number  fields 
are  subfields  of  Q. 

Definition  4.1.12.  Let  K  be  a  number  field  of  degree  n.  We  say  that  K  is 
Galois  (or  normal )  over  Q,  or  simply  Galois,  if  K  is  ( globally )  invariant  by 
the  n  embeddings  of  K  in  C.  The  set  of  such  embeddings  is  a  group,  called  the 
Galois  group  of  K,  and  denoted  Gal(AT/Q). 


Given  any  number  field  K,  the  intersection  of  all  subfields  of  Q  which  are 
Galois  and  contain  K  is  a  finite  extension  Ks  of  K  called  the  Galois  closure 
(or  normal  closure)  of  K  in  Q.  If  K  =  Q(9)  where  9  is  a  root  of  an  irreducible 
polynomial  T  €  Z[X],  the  Galois  closure  of  K  can  also  be  obtained  as  the 
splitting  field  of  T,  i.e.  the  field  obtained  by  adjoining  to  Q  all  the  roots  of  T. 
By  abuse  of  language,  even  when  K  is  not  Galois,  we  will  call  Gal(.fir5/Q)  the 
Galois  group  of  the  number  field  K  (or  of  the  polynomial  T) . 

A  special  case  of  the  so-called  “fundamental  theorem  of  Galois  theory”  is 
as  follows. 

Proposition  4.1.13.  Let  K  be  Galois  over  Q  and  x  G  K.  Assume  that  for 
any  a  €  G&l(K/Q)  we  have  cr(x )  =  x.  Then  x  €  Q.  In  particular,  if  in  addition 
x  is  an  algebraic  integer  then  x  €  Z. 

The  following  easy  proposition  shows  that  there  are  only  two  possibilities 
for  the  signature  of  a  Galois  extensions.  Similarly,  we  will  see  (Theorem 
4.8.6)  that  there  are  only  a  few  possibilities  for  how  primes  split  in  a  Galois 
extension. 

Proposition  4.1.14.  Let  K  be  a  Galois  extension  of  Q  of  degree  n.  Then, 
either  K  is  totally  real  ((ri,r2)  =  (n, 0)j,  or  K  is  totally  complex  ({r\,r2)  = 
(0,  n/2)  which  can  occur  only  if  n  is  even). 

The  computation  of  the  Galois  group  of  a  number  field  (or  of  its  Galois 
closure)  is  in  general  not  an  easy  task.  We  will  study  this  for  polynomials  of 
low  degree  in  Section  6.3. 
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4.2  Representation  and  Operations  on  Algebraic 
Numbers 

It  is  very  important  to  study  the  way  in  which  algebraic  numbers  are  repre¬ 
sented.  There  are  two  completely  different  problems:  that  of  representing  alge¬ 
braic  numbers,  and  that  of  representing  sets  of  algebraic  numbers,  e.g.  modules 
or  ideals.  This  will  be  considered  in  Section  4.7.  Here  we  consider  the  problem 
of  representing  an  individual  algebraic  number. 

Essentially  there  are  four  ways  to  do  this,  depending  on  how  the  number 
arises.  The  first  way  is  to  represent  a  G  Q  by  its  minimal  polynomial  A  which 
exists  by  Proposition  4.1.2.  The  three  others  assume  that  a  is  a  polynomial 
with  rational  coefficients  in  some  fixed  algebraic  number  9.  These  other  meth¬ 
ods  are  usually  preferable,  since  field  operations  in  Q(0)  can  be  performed 
quite  simply.  We  will  see  these  methods  in  more  detail  in  the  following  sec¬ 
tions.  However,  to  start  with,  we  do  not  always  have  such  a  9  available,  so  we 
consider  the  problems  which  arise  from  the  first  method. 


4.2.1  Algebraic  Numbers  as  Roots  of  their  Minimal  Polynomial 

Since  A  has  n  =  deg(A)  zeros  in  C,  the  first  question  is  to  determine  which 
of  these  zeros  a  is  supposed  to  represent.  We  have  seen  that  an  algebraic 
number  always  comes  equipped  with  all  of  its  conjugates,  so  this  is  a  prob¬ 
lem  which  we  must  deal  with.  Since  Q(q;)  ~  Q[X]/(A(AT)Q[AT]),  a  may  be 
represented  as  the  class  of  X  in  Q[X]/(A(X)Q[X]),  which  is  a  perfectly  well 
defined  mathematical  quantity.  The  distinction  between  a  and  its  conjugates, 
if  really  necessary,  will  then  depend  not  on  A  but  on  the  specific  embedding 
of  Q[X]/(A(X)Q[X])  in  C.  In  other  words,  it  depends  on  the  numerical  value 
of  a  as  a  complex  number.  This  numerical  value  can  be  obtained  by  finding 
complex  roots  of  polynomials,  and  we  assume  throughout  that  we  always  take 
sufficient  accuracy  to  be  able  to  distinguish  a  from  its  conjugates.  (Recall 
that  since  the  minimal  polynomial  of  a  is  irreducible  and  hence  squarefree, 
the  conjugates  of  a  are  distinct.) 

Hence,  we  can  consider  that  an  algebraic  number  a  is  represented  by  a  pair 
(A,  x)  where  A  is  the  minimal  polynomial  of  a,  and  x  is  an  approximation 
to  the  complex  number  a  ( x  should  be  at  least  closer  to  a  than  to  any  of 
its  conjugates).  It  is  also  useful  to  have  numeric  approximations  to  all  the 
conjugates  of  a.  In  fact,  one  can  recover  the  minimal  polynomial  A  of  a 
from  this  if  one  knows  only  its  leading  term  ^(A),  since  if  one  sets  A(X )  = 
t{A)  Ui(X  —  &i),  where  the  d*  are  the  approximations  to  the  conjugates  of 
a,  then,  if  they  are  close  enough  (and  they  must  be  chosen  so),  A  will  be  the 
polynomial  whose  coefficients  are  the  nearest  integers  to  the  coefficients  of  A. 

With  this  representation,  it  is  clear  that  one  can  now  easily  work  in  the 
subfield  Q(a)  generated  by  a,  simply  by  working  modulo  A. 

More  serious  problems  arise  when  one  wants  to  do  operations  between 
algebraic  numbers  which  are  a  priori  not  in  this  subfield.  Assume  for  instance 
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that  a  =  (X  mod  A(X)),  and  (3  =  (X  mod  B(X)),  where  A  and  B  are  primi¬ 
tive  irreducible  polynomials  of  respective  degrees  m  and  n  (we  omit  the  Qpf] 
for  simplicity  of  notation).  How  does  one  compute  the  sum,  difference,  product 
and  quotient  of  a  and  01  The  simplest  way  to  do  this  is  to  compute  resultants 
of  two  variable  polynomials.  Indeed,  the  resultant  of  the  polynomials  A(X— Y) 
and  B(Y)  considered  as  polynomials  in  Y  alone  (the  coefficient  ring  being  then 
Qpf])  is  up  to  a  scalar  factor  equal  to  P(X)  =  „.( X  —  a*  —  0j )  where  the 

ai  are  the  conjugates  of  a ,  and  the  0j  are  the  conjugates  of  0.  Since  P  is  a  re¬ 
sultant,  it  has  coefficients  in  Qpf],  and  a  +  0  is  one  of  its  roots,  so  Q  =  pp (P) 
is  a  multiple  of  the  minimal  polynomial  of  a  +  0. 

If  Q  is  irreducible,  then  it  is  the  minimal  polynomial  of  a  +  0.  If  it  is  not 
irreducible,  then  the  minimal  polynomial  of  a  +  0  is  one  of  the  irreducible 
factors  of  Q  which  one  computes  by  using  the  algorithms  of  Section  3.5.  Once 
again  however,  it  does  not  make  sense  to  ask  which  of  the  irreducible  factors 
a  +  0  is  a  root  of,  if  we  do  not  specify  embeddings  in  C,  in  other  words, 
numerical  approximations  to  a  and  0.  Given  such  approximations  however, 
one  can  readily  check  in  practice  which  of  the  irreducible  factors  of  Q  is  the 
minimal  polynomial  that  we  are  looking  for. 

What  holds  for  addition  also  holds  for  subtraction  (take  the  resultant  of 
A(X  +  Y)  and  B(Y)),  multiplication  (take  the  resultant  of  YmA(X/Y)  and 
B(Y)),  and  division  (take  the  resultant  of  A{XY)  with  B(Y)). 


4.2.2  The  Standard  Representation  of  an  Algebraic  Number 

Let  if  be  a  number  field,  and  let  6j  (1  <  j  <  n )  be  a  Q-basis  of  K.  Let  a  €  K 
be  any  element.  It  is  clear  that  one  can  write  a  in  a  unique  way  as 


Y^  'i=o  aj@j+ 1  , 

a  =  — = — - - ,  withd>0,  aj  e  Z  and  gcd(ao, . . . ,  an_i,  d)  =  1. 

LL 


In  the  case  where  6j  =  0~l  for  some  root  9  of  a  monic  irreducible  polynomial 
T  €  Z[X\,  the  (n+l)-uplet  ( ao , . . . ,  an-i,d) €  Zn+1  will  be  called  the  standard 
representation  of  a  (with  respect  to  9).  Hence,  we  can  now  assume  that  we 
know  such  a  primitive  element  9.  (We  will  see  in  Section  4.5  how  it  can  be 
obtained.) 

We  must  see  how  to  do  the  usual  arithmetic  operations  on  these  standard 
representations.  The  vector  space  operations  on  K  are  of  course  trivial.  For 
multiplication,  we  precompute  the  standard  representation  of  9 J  for  j  <  2n— 2 
in  the  following  way:  if  T(X)  =  ££=0  UX i  with  U  €  Z  for  all  i  and  tn  =  1, 
we  have  9n  —  {—ti)9l.  If  we  set  9n+K=  Y^i=o  rk,i@\  then  the  standard 

representation  of  9n+k  is  (rj^o,  rk,i,  ■ . .,  rk,n- 1, 1)  and  the  rk,i  are  computed 
by  induction  thanks  to  the  formulas  r0ti  =— U  and 


f  1  1  if  i  ^  1? 

L  ^OT'/Cjn  — 1  if  %  —  U. 
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Now  if  (ao, . . . ,  an_i,  d)  and  (bo, . . 

, . ,  6n_i,  e)  are  the  standard  representations 

of  a  and  [3  respectively,  then  it  is 

clear  that 

«*-E~**\ 

de 

where  Ck  =  ^  afij , 

i+j=k 

hence 

O0  = 

de 

71  —  2 

where  zk  =  Ck  +  rk,iCn+i . 

A 

i= 0 


The  standard  representation  of  a  (3  is  then  obtained  by  dividing  all  the  zk  and 
de  by  gcd(z0,  •  •  • ,  zn-i,de). 

Note  that  if  we  set  A(X)  =  Y^t=o  aiX%  and  B(X)  =Y^i=o  hX1,  the 
procedure  described  above  is  equivalent  to  computing  the  remainder  in  the 
Euclidean  division  of  AB  by  T.  Because  of  the  precomputations  of  the  r^, 
however,  it  is  slightly  more  efficient. 

The  problem  of  division  is  more  difficult.  Here,  we  need  essentially  to 
compute  A/B  modulo  the  polynomial  T.  Hence,  we  need  to  invert  B  modulo 
T.  The  simplest  efficient  way  to  do  this  is  to  use  the  sub-resultant  Algorithm 
3.3.1  to  obtain  U  and  V  (which  does  not  need  to  be  computed  explicitly)  such 
that  UB  +  VT  =  d  where  d  is  a  constant  polynomial.  (Note  that  since  T  is 
irreducible  and  B  ^  0,  B  and  T  are  coprime.)  Then  the  inverse  of  B  modulo 
T  is  ^U,  and  the  standard  representation  of  a/ (3  can  easily  be  obtained  from 
this. 


4.2.3  The  Matrix  (or  Regular)  Representation  of  an  Algebraic 
Number 

A  third  way  to  represent  algebraic  numbers  is  by  the  use  of  integral  matrices. 
If  Qj  (1  <  j  <  n)  is  a  Q-basis  of  K  and  if  a  e  K,  then  multiplication  by  a  is  an 
endomorphism  of  the  Q-vector  space  K,  and  we  can  represent  a  by  the  matrix 
Ma  of  this  endomorphism  in  the  basis  9j.  This  will  be  a  matrix  with  rational 
entries,  hence  one  can  write  Ma  =  M'/d  where  M'  has  integral  entries,  d  is 
a  positive  integer,  and  the  greatest  common  divisor  of  all  the  entries  of  M' 
is  coprime  to  d.  This  representation  is  of  course  unique,  and  it  is  clear  that 
the  map  a  !-*•  Ma  is  an  algebra  homomorphism  from  K  to  the  algebra  of 
n  x  n  matrices  over  Q.  Thus  one  can  compute  on  algebraic  numbers  simply 
by  computing  with  the  corresponding  matrices.  The  running  time  is  usually 
longer  however,  since  more  elements  are  involved.  For  example,  the  simple 
operation  of  addition  takes  0(n2)  operations,  while  it  clearly  needs  only  O(n) 
operations  in  the  standard  representation.  The  matrix  representation  is  clearly 
more  suited  for  multiplication  and  division.  (Division  is  performed  using  the 
remark  following  Algorithm  2.2.2.) 
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4.2.4  The  Conjugate  Vector  Representation  of  an  Algebraic 
Number 

The  last  method  of  representing  an  algebraic  number  cr  in  a  number  field  K  = 
Q(0)  that  I  want  to  mention,  is  to  represent  a  by  numerical  approximations 
to  its  conjugates,  repeated  with  multiplicity.  More  precisely,  let  <jj  be  the 
n  =  deg (K)  distinct  embeddings  of  K  in  C,  ordered  in  the  following  standard 
way:  cri,  . . .,  crri  are  the  real  embeddings,  crri+r2+i  =  ay  1+i  for  1  <  i  <  r2 ■  If 
a  =  then 

n  —  1 

<U(<*)  =  X]  «<*#)*> 

i= 0 

and  the  <Tj{a)  are  the  conjugates  of  a,  but  in  a  specific  order  (corresponding  to 
the  choice  of  the  ordering  on  the  ay),  and  repeated  with  a  constant  multiplicity 
n/  deg(o:).  We  can  then  represent  a  as  the  (n+  r2)-uplet  of  complex  numbers 

(ai  ( o:) , . . . ,  ari + r2  (o:) ) , 

where  the  complex  numbers  <Jj(a)  are  given  by  a  sufficiently  good  approx¬ 
imation.  Operations  on  this  representation  are  quite  trivial  since  they  are 
done  componentwise.  In  particular,  division,  which  was  difficult  in  the  other 
representations,  becomes  very  simple  here.  Unfortunately,  there  is  a  price  to 
pay:  one  must  be  able  to  go  back  to  one  of  the  exact  representations  (for 
example  to  the  standard  representation),  and  hence  have  good  control  on  the 
roundoff  errors. 

For  this,  we  precompute  the  inverse  matrix  of  the  matrix  0  =  ai(0J_1). 
Then,  if  one  knows  the  conjugate  representation  of  a  number  a,  and  an  integer 
d  such  that  da  €  Z[0],  one  can  write  a  =  (52j=i  ay-i#-,_1)/d  where  the  a,  are 
integers,  and  the  column  vector  (ao, . . . ,  an_i)*  can  be  obtained  as  the  product 
d0-1(ai(a:), . . .  ,^(0:))*,  and  since  the  a*  are  integers,  if  the  roundoff  errors 
have  been  controlled  and  are  not  too  large,  this  gives  the  a*  exactly  (note  that 
in  practice  one  can  work  with  matrices  over  M  and  not  over  C.  The  details  are 
left  to  the  reader). 

In  practice,  one  can  ignore  roundoff  errors  and  start  with  quite  precise  nu¬ 
merical  approximations.  Then  every  operation  except  division  is  done  using 
the  standard  representation,  while  for  division  one  computes  the  conjugate 
representation  of  the  result,  converts  back,  and  then  check  by  exact  multipli¬ 
cation  that  the  roundoff  errors  did  not  accumulate  to  give  us  a  wrong  result. 
(If  they  did,  this  means  that  one  must  work  with  a  higher  precision.) 
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4.3  Trace,  Norm  and  Characteristic  Polynomial 

If  a  is  an  algebraic  number,  the  trace  (resp.  the  norm)  of  a  is  by  definition 
the  sum  (resp.  the  product)  of  the  conjugates  of  a.  If  A(X )  =  YaLo  ai X1  is 
its  minimal  polynomial,  then  we  clearly  have 

Tr(o)  =  and  M{a)  =  (-l)m—  , 

Q"m  Q"m 

where  Tr  and  M  denote  the  trace  and  norm  of  a  respectively.  Usually  however, 
a  is  considered  as  an  element  of  a  number  field  K.  If  K  =  Q(a:),  then  the 
definitions  above  are  OK,  but  if  Q (a)  £  K ,  then  it  is  necessary  to  modify  the 
definitions  so  that  Tr  becomes  additive  and  M  multiplicative.  More  generally, 
we  put: 

Definition  4.3.1.  Let  K  be  a  number  field  of  degree  n  over  Q,  and  let  be 
the  n  distinct  embeddings  of  K  in  C. 

(1)  The  characteristic  polynomial  Ca  of  a  in  K  is 

ca(x)=  n  (*-*(«)). 

l<i<n 


(2)  If  we  set 

ca(x)=  £ 

0<i<n 

then  Sk{a )  is  a  rational  number  and  will  be  called  the  kth  symmetric  func¬ 
tion  of  a  in  K. 

(3)  In  particular,  $i(a:)  is  called  the  trace  of  a  in  K  and  denoted  Tr^/Q(o:), 
and  similarly  sn(a )  is  called  the  norm  of  a  in  K  and  denoted  N k /<${&)■ 


As  has  already  been  mentioned,  one  must  be  careful  to  distinguish  the 
absolute  trace  of  a  which  we  have  denoted  Tr(o:)  from  the  trace  of  a  in  the 
field  K ,  denoted  TT j^/q  (ck)  ,  and  similarly  with  the  norms.  More  precisely,  we 
have  the  following  proposition: 

Proposition  4.3.2.  Let  K  be  a  number  field  of  degree  n,  a j  the  n  distinct 
embeddings  of  K  in  C. 

(1)  If  a  E  K  has  degree  m  (hence  with  m  dividing  n),  we  have 

r^rKfQ{oc)=  ^  <7i(a)  =  —  Tr(ot), 

i<i<n  m 


Mk/q{<*)=  TT  ai(o)  =  (AT(o))-/m. 

l<i<n 


and 
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(2)  For  any  a  and  P  in  K  we  have 

Ttk/ +  P)  =  Tt/c/qCq:)  +  Ttk/q(P), 


and 


Af  k/q{<*P)  —  Af  k/q{o^)Mk/q(P)- 


(3)  a  is  an  algebraic  integer  if  and  only  if  s&(a)  €  Z  for  all  k  such  that 
1  <  k  <  n  (note  that  so(a)  =  1). 


As  usual,  we  must  find  algorithms  to  compute  traces,  norms  and  more 
generally  characteristic  polynomials  of  algebraic  numbers.  Since  we  have  seen 
four  different  representations  of  algebraic  numbers  (viz.  by  a  minimal  poly¬ 
nomial,  by  the  standard  representation,  by  the  matrix  representation  and  by 
the  conjugate  vector  representation),  there  are  at  least  that  many  methods 
to  do  the  job.  We  will  only  sketch  these  methods,  except  when  they  involve 
fundamentally  new  ideas.  We  always  assume  that  our  number  field  is  given  as 
K  =  Q(6)  where  9  is  an  algebraic  integer  whose  monic  minimal  polynomial  of 
degree  n  is  denoted  T(X).  We  denote  by  07  the  n  embeddings  of  K  in  C. 

In  the  case  where  a  is  represented  by  its  minimal  polynomial  A(X),  then 
each  of  the  m  =  deg(A)  embeddings  of  Q(a)  in  C  lifts  to  exactly  n/m  embed¬ 
dings  among  the  07,  hence  it  easily  follows  that 

Ca(X)  =  A(X)n/m, 

and  this  immediately  implies  Proposition  4.3.2  (1),  i.e.  if  we  write  A(X)  = 

Eo <i<maixi>  then 


/  \  Yl  1 777, 

TW<*)  =  ^/«(“)  =  r2- )  • 

uvum  \  Mm  / 

In  the  case  where  a  is  given  by  its  standard  representation 

a=i{  £ 

a  \0<i<n-l  ) 

the  only  symmetric  function  which  is  relatively  easy  to  compute  is  the  trace, 
since  we  can  precompute  the  trace  of  6l  using  Newton’s  formulas  as  follows. 

Proposition  4.3.3.  Let  6i  be  the  roots  (repeated  with  multiplicity)  of  a  monic 
polynomial  T(X)=  Eo e  C[X]  of  degree  n  and  set  Sk  =  Et(^<)- 
Then 


k—1 


&k  —  n—k  y  v  tn—i&k—i 


i=l 


(where  we  set  U  =  0  for  i  <  0). 
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This  result  is  well  known  and  its  proof  is  left  to  the  reader  (Exercise  3) . 
We  can  however  compute  all  the  symmetric  functions,  i.e.  the  character¬ 
istic  polynomial,  by  using  resultants,  as  follows. 

Proposition  4.3.4.  Let  K  =  Q (0)  be  a  number  field  where  0  is  a  root  of  a 
monic  irreducible  polynomial  T(X )  G  Z[X]  of  degree  n,  and  let 


«  =  M  E  a‘0i 

\0<i<n-l  J 

be  the  standard  representation  of  some  a  G  K.  Set  A(X)  =  X)o<i<n-i  aiXt. 
Then  the  characteristic  polynomial  Ca(X )  of  a  is  given  by  the  formula 

Ca(X)  =  d~nRy{T{Y),dX-A{Y )), 

where  Ry  denotes  the  resultant  taken  with  respect  to  the  variable  Y .  In  par¬ 
ticular,  we  have 

VK/Q(oO  =  d~nR(T(X),  A(X)). 


Proof.  We  have  by  definition 

ca(x) = ntx-  c-iM) = n<x  - 

i  i 

=  d~n  ]\{dX  -  A($i))  =  d~nRy(T(Y),dX  —  A(E)), 

i 


where  the  0*  are  the  conjugates  of  9,  i.e.  the  roots  of  T.  The  formula  for  the 
norm  follows  immediately  on  setting  X  =  0.  □ 

Since  the  resultant  can  be  computed  efficiently  by  the  sub-resultant  Algo¬ 
rithm  3.3.7,  used  here  in  the  UFD’s  Z[X]  and  Z,  we  see  that  this  proposition 
gives  an  efficient  way  to  compute  the  characteristic  polynomial  and  the  norm 
of  an  algebraic  number  given  in  its  standard  representation. 

In  the  case  where  a  is  given  by  numerical  approximations  to  its  conjugates, 
as  usual  we  also  assume  that  we  know  an  integer  d  such  that  da  G  Z[9\.  Then 
we  can  compute  numerically  Oi(^  —  doi(a)),  and  this  must  have  integer 
coefficients.  Hence,  if  we  have  sufficient  control  on  the  roundoff  errors  and 
sufficient  accuracy  on  the  conjugates  of  a ,  this  enables  us  to  compute  Cda{X ) 
exactly,  hence  Ca(X)  =  d~nCda(dX). 

Finally,  we  consider  the  case  where  a  is  given  by  its  matrix  representation 
Ma  in  the  basis  1,  0,  ...  ,  0n_1,  where  dMa  has  integral  coefficients  for  some 
integer  d.  Then  the  characteristic  polynomial  of  a  is  simply  equal  to  the  char¬ 
acteristic  polynomial  of  Ma  (meaning  always  det (XIn  —  Ma)).  In  particular, 
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the  trace  can  be  read  off  trivially  on  the  diagonal  coefficients,  and  the  norm 
is,  up  to  sign,  equal  to  the  determinant  of  Ma- 

The  characteristic  polynomial  can  be  computed  using  one  of  the  algorithms 
described  Section  2.2.4,  and  the  determinant  using  Algorithm  2.2.6. 

In  practice,  it  is  not  completely  clear  which  representation  is  preferable. 
A  reasonable  choice  is  probably  to  use  the  standard  representation  and  the 
sub-resultant  algorithm.  This  depends  on  the  context  however,  and  one  should 
always  be  aware  of  each  of  the  four  possibilities  to  handle  algebraic  numbers. 
Keep  in  mind  that  it  is  usually  costly  to  go  from  one  representation  to  another, 
so  for  a  given  problem  the  representation  should  be  fixed. 


4.4  Discriminants,  Integral  Bases  and  Polynomial 
Reduction 

4.4.1  Discriminants  and  Integral  Bases 
We  have  the  following  basic  result. 

Proposition  4.4.1.  Let  K  be  a  number  field  of  degree  n,  cri  be  the  n  embed¬ 
dings  of  K  in  C,  and  otj  be  a  set  of  n  elements  of  K.  Then  we  have 

det(<7i(aj))2  =  det(Trtf/Q(ajaj)). 

This  quantity  is  a  rational  number  and  is  called  the  discriminant  of  the  ati, 
and  denoted  d(a i, . . .  ,  an).  Furthermore,  d(oti, . . .  ,  an)  =  0  if  and  only  if  the 
otj  are  Q-linearly  dependent. 

Proof  Consider  the  n  x  n  matrix  M  =  (oi(otj)).  Then  by  definition  of  matrix 
multiplication,  we  have  MlM  =  {aitj)  with 

uitj  =^2o-k(ai)(rk(aj)  =  TrK/Q(aia!j). 
k 

Since  det(M4)  =  det(M)  the  equality  of  the  proposition  follows.  Since 
Tr^-/Q(a)  G  Q  the  discriminant  is  a  rational  number.  If  the  ctj  are  Q-linearly 
dependent,  it  is  clear  that  the  columns  of  the  matrix  M  are  also  (since  Q 
is  invariant  by  the  cr*).  Therefore  the  discriminant  is  equal  to  0.  Conversely 
assume  that  the  discriminant  is  equal  to  0.  This  means  that  the  kernel  of 
the  matrix  MlM  is  non-trivial,  and  since  this  matrix  has  coefficients  in  Q, 
there  exists  A*  G  Q  such  that  for  every  j,  Tr(a:aj)  =  0  where  we  have  set 
x  =  X^i<i<n  ^iai-  If  the  ctj  were  linearly  independent  over  Q,  they  would 
generate  LC  as  a  Q-vector  space,  and  so  we  would  have  Tr(a:y)  =  0  for  all 
y  G  K  with  x  /  0.  Taking  y  =  1/x  gives  Tr(l)  =  n  =  0,  a  contradiction,  thus 
showing  the  proposition.  □ 
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Remark.  We  have  just  proved  that  the  quadratic  form  TV  (a:2)  is  non¬ 
degenerate  on  K  using  that  K  is  of  characteristic  zero  (otherwise  n  =  0 
may  not  be  a  contradiction).  This  is  the  definition  of  a  separable  extension. 
It  is  not  difficult  to  show  (see  for  example  Proposition  4.8.11  or  Exercise  5) 
that  the  signature  of  this  quadratic  form  (i.e.  the  number  of  positive  and  neg¬ 
ative  squares  after  Gaussian  reduction)  is  equal  to  (ri  +  r2,r2)  where  as  usual 
i^i,r2)  is  the  signature  of  the  number  field  K. 

Recall  that  we  denote  by  Z#  the  ring  of  (algebraic)  integers  of  K.  Then 
we  also  have: 

Theorem  4.4.2.  The  ring  Z k  is  a  free  Z-module  of  rank  n  =  deg (K).  This 
is  true  more  generally  for  any  non-zero  ideal  of  Z k  • 

Proof  (Sketch).  Let  ctj  be  a  basis  of  if  as  a  Q-vector  space.  Without  loss  of 
generality,  we  can  assume  that  the  ctj  are  algebraic  integers.  If  A  is  the  (free) 
Z-module  generated  by  the  ctj,  we  clearly  have  A  C  Z k,  and  the  formula 
M-1  =  Mad->/det(M)  for  the  inverse  of  a  matrix  (see  section  2.2.4)  shows 
that  dZjc  C  A,  where  d  is  the  discriminant  of  the  ctj,  whence  the  result. 
(Recall  that  a  sub-Z-module  of  a  free  module  of  rank  n  is  a  free  module  of 
rank  less  than  or  equal  to  n,  since  Z  is  a  principal  ideal  domain,  see  Theorem 
2.4.1.)  □ 

It  is  important  to  note  that  Z  being  a  PID  is  crucial  in  the  above  proof. 
Hence,  if  we  consider  relative  extensions,  Theorem  4.4.2  will  a  priori  be  true 
only  if  the  base  ring  is  also  a  PID,  and  this  is  not  always  the  case. 

Definition  4.4.3.  A  Z-basis  of  the  free  module  Z k  will  be  called  an  integral 
basis  of  K.  The  discriminant  of  an  integral  basis  is  independent  of  the  choice 
of  that  basis,  and  is  called  the  discriminant  of  the  field  K  and  is  denoted  by 
d(K). 


Note  that,  although  the  two  notions  are  closely  related,  the  discriminant 
of  K  is  not  in  general  equal  to  the  discriminant  of  an  irreducible  polynomial 
defining  K.  More  precisely: 

Proposition  4.4.4.  Let  T  be  a  monic  irreducible  polynomial  of  degree  n  in 
Z[X],  6  a  root  ofT,  and  K  =  Q (6).  Denote  by  d(T)  (resp.  d(K))  the  discrim¬ 
inant  of  the  polynomial  T  (resp.  of  the  number  field  K ). 

(1)  We  have  <2(1, 0, . . . ,  0n_1)  =  d(T). 

(2)  If  f  —  [Z k  '•  Z[0]],  we  have 


d(T)  =  d(K)f 


and,  in  particular,  d(T)  is  a  square  multiple  of  d(K) . 
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The  proof  of  this  is  easy  and  left  to  the  reader.  The  number  /  will  be 
called  the  index  of  6  in  Z k- 

Proposition  4.4.5.  The  algebraic  numbers  a\,  ...  ,  an  form  an  integral  basis 
if  and  only  if  they  are  algebraic  integers  and  if  d(a i, . . . ,  an)  =  d(K),  where 
d(K)  is  the  discriminant  of  K. 

Proof.  If  M  is  the  matrix  expressing  the  cti  on  some  integral  basis  of  K,  it  is 
clear  that  d(a i, . . . ,  an )  =  d(K)  det(M)2  and  the  proposition  follows.  □ 

We  also  have  the  following  result  due  to  Stickelberger: 

Proposition  4.4.6.  Let  a\,  . . .  ,  an  be  algebraic  integers.  Then 

d(ai, . . . ,  an)  =  0  or  1  (mod  4). 


Proof.  If  we  expand  the  determinant  det(crj(aj))  using  the  n!  terms,  we  will 
get  terms  with  a  plus  sign  corresponding  to  permutations  of  even  signature, 
and  terms  with  a  minus  sign.  Hence,  collecting  these  terms  separately,  we  can 
write  the  determinant  as  P  —  N  hence 


d(a  1, . . . ,  an)  =  (P  -  Nf  =  (P  +  N)2  -  4 PN. 


Now  clearly  P+N  and  PN  are  symmetric  functions  of  the  a*,  hence  by  Galois 
theory  they  are  in  Q  and  in  fact  in  Z  since  the  a*  are  algebraic  integers.  This 
proves  the  proposition,  since  a  square  is  always  congruent  to  0  or  1  mod  4.  □ 

The  determination  of  an  explicit  integral  basis  and  of  the  discriminant  of 
a  number  field  is  not  an  easy  problem,  and  is  one  of  the  main  tasks  of  this 
course.  There  is,  however  one  case  in  which  the  result  is  trivial: 

Corollary  4.4.7.  Let  T  be  a  monic  irreducible  polynomial  in  Z[X],  6  a  root 
ofT,  and  K  —  Q(9).  Assume  that  the  discriminant  of  T  is  squarefree  or  is 
equal  to  4 d  where  d  is  squarefree  and  not  congruent  to  1  modulo  4.  Then  the 
discriminant  of  K  is  equal  to  the  discriminant  ofT,  and  an  integral  basis  of 
K  is  given  by  6,  ...  ,  6n~l . 

Since  a  discriminant  must  be  congruent  to  0  or  1  mod  4,  this  immediately 
follows  from  the  above  propositions.  □ 

Unfortunately,  this  corollary  is  not  of  much  use,  since  it  is  quite  rare  that 
the  condition  on  the  discriminant  of  T  is  satisfied.  We  will  see  in  Chapter  6  a 
complete  method  for  finding  an  integral  basis  and  hence  the  discriminant  of 
a  number  field. 
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Finally,  we  note  without  proof  the  following  consequence  of  the  so-called 
“conductor-discriminant  formula” . 

Proposition  4.4.8.  Let  K  and  L  be  number  fields  with  K  C  L.  Then 

d{K)^  |  d{L). 


Corollary  4.4.9.  Let  K  =  <Q>(a)  and  L  =  Q((3)  be  two  number  fields,  let 
m  =  deg(K),  n  =  deg(L),  A(X)  ( resp .  B( X))  the  minimal  monic  polynomial 
of  a  (resp.  ft).  Write  d(A)  and  d(B)  for  the  discriminants  of  the  polynomials 
A  and  B.  Assume  that  K  is  conjugate  to  a  subfield  of  L.  Then  if  p  is  a  prime 
such  that  Vp(d(A))  is  odd,  we  must  have  pn/m  |  d(B). 

Proof.  By  Proposition  4.4.4  if  vp(d(A))  is  odd  then  p  \  d(K),  where  d{K)  is 
the  discriminant  of  the  field  K.  By  the  proposition  we  therefore  have  pn/m  | 
d(L)  |  d(B),  thus  proving  the  corollary.  □ 


4.4.2  The  Polynomial  Reduction  Algorithm 

We  will  see  in  Section  4.5  that  it  is  usually  not  always  easy  to  decide  whether 
two  number  fields  are  isomorphic  or  not.  Here  we  will  give  a  heuristic  approach 
based  on  the  LLL  algorithm  and  ideas  of  Diaz  y  Diaz  and  the  author  which 
often  gives  a  useful  answer  to  the  following  problem:  given  a  number  field  K , 
can  one  find  a  monic  irreducible  polynomial  defining  K  which  in  a  certain 
sense  is  as  simple  as  possible. 

Of  course,  if  this  could  be  done,  the  isomorphism  problem  would  be  com¬ 
pletely  solved.  We  will  see  in  Chapters  5  and  6  that  it  is  possible  to  do  this 
for  quadratic  fields  (in  fact  it  is  trivial  in  that  case),  and  for  certain  classes 
of  cubic  fields,  like  cyclic  cubic  fields  or  pure  cubic  fields  (see  Section  6.4).  In 
general,  all  one  can  hope  for  in  practice  is  to  find,  maybe  not  the  simplest, 
but  a  simple  polynomial  defining  K. 

A  natural  criterion  of  simplicity  would  be  to  take  polynomials  whose 
largest  coefficients  are  as  small  as  possible  in  absolute  value  (i.e.  the  L°°  norm 
on  the  coefficients),  or  such  that  the  sum  of  the  squares  of  the  coefficients  is 
as  small  as  possible  (the  L2  norm).  Unfortunately,  I  know  of  no  really  efficient 
way  of  finding  simple  polynomials  in  this  sense. 

What  we  will  in  fact  consider  is  the  following  “norm”  on  polynomials. 

Definition  4.4.10.  Let  P  s  C[X],  and  let  a*  be  the  complex  roots  of  P 
repeated  with  multiplicity.  We  define  the  size  of  P  by  the  formula 

size(P)  =^|ai|2. 
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This  is  not  a  norm  in  the  usual  mathematical  sense,  but  it  seems  reasonable 
to  say  that  if  the  size  (in  this  sense)  of  a  polynomial  is  not  large,  then  the 
polynomial  is  simple,  and  its  coefficients  should  not  be  too  large. 

More  precisely,  we  can  show  (see  Exercise  6)  that  if  P  =  akXk  is  a 
monic  polynomial  and  if  S  =  size(P),  then 


Hence,  the  size  of  P  is  related  to  the  size  of 

max|an_*.|2/*. 

The  reason  we  take  this  definition  instead  of  an  IP  definition  on  the  coef¬ 
ficients  is  that  we  can  apply  the  LLL  algorithm  to  find  a  polynomial  of  small 
size  which  defines  the  same  number  field  K  as  the  one  defined  by  a  given 
polynomial  P,  while  I  do  not  know  how  to  achieve  this  for  the  norms  on  the 
coefficients. 

The  method  is  as  follows.  Let  K  be  defined  by  a  monic  irreducible  poly¬ 
nomial  P  E  Z[X\.  Using  the  round  2  Algorithm  6.1.8  which  will  be  explained 
in  Chapter  6,  we  compute  an  integral  basis  uq,  . . .  ,  ujn  of  7Lk-  Furthermore, 
let  Oj  denote  the  n  isomorphisms  of  K  into  C.  If  we  set 

n 

X  =  Y  XiUi 

i= 1 

where  the  Xi  are  in  Z,  then  x  is  an  arbitrary  algebraic  integer  in  K,  hence 
its  characteristic  polynomial  Mx  will  be  of  the  form  P^d  where  Pd  is  the 
minimal  polynomial  of  x  and  d  the  degree  of  x,  and  Pd  defines  a  subfield  of 
K.  In  particular,  when  d  =  n,  this  defines  an  equation  for  K,  and  clearly  all 
monic  equations  for  K  with  integer  coefficients  (as  well  as  for  subfields  of  K) 
are  obtained  in  this  way. 

Now  we  have  by  definition 


n 


n 


Mx(X)=  11  1*-2><**(W<)| 


fc=l 


i= 1 


hence, 


size(Mx)  = 

fc=i 


Y,Xi*k(Ui) 

i= 1 


This  is  clearly  a  quadratic  form  in  the  x^’s,  and  more  precisely 


siz  e(Mx)  =  Y, 


Y  Vk(wi)<rk(wj) 


l<k<n 


■ 
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Note  that  in  the  case  where  K  is  totally  real,  that  is  when  all  the  <rjt  are  real 
embeddings,  this  simplifies  to 


size(Ma;)  =  V'Tr  (uiUjj)xiXj 


which  is  now  a  quadratic  form  with  integer  coefficients  which  can  easily  be 
computed  from  the  knowledge  of  the  tu*. 

In  any  case,  whether  K  is  totally  real  or  not,  we  can  apply  the  LLL 
algorithm  to  the  lattice  Zn  and  the  quadratic  form  size(Mx).  The  result  will  be 
a  set  of  n  vectors  x  corresponding  to  reasonably  small  values  of  the  quadratic 
form  (see  Section  2.6  for  quantitative  statements),  hence  to  polynomials  Mx 
of  small  size,  which  is  what  we  want.  Note  however  that  the  algebraic  integers 
x  that  we  obtain  in  this  way  will  often  have  a  minimal  polynomial  of  degree 
less  than  n,  in  other  words  x  will  define  a  subfield  of  K.  In  particular,  x  =  1 
is  always  obtained  as  a  short  vector,  and  this  defines  the  subfield  Q  of  K. 
Practical  experiments  with  this  method  show  however  that  there  will  always 
be  at  least  one  element  x  of  degree  exactly  n,  hence  defining  K,  and  its  minimal 
polynomial  will  hopefully  be  simpler  than  the  polynomial  P  from  which  we 
started. 

However  the  polynomials  that  we  obtain  in  this  way,  have  sometimes 
greater  coefficients  than  those  of  P.  This  is  not  too  surprising  since  our  defi¬ 
nition  of  “size”  of  P{X)  =  Ylo<k<nakXk  involves  the  size  of  the  roots  of  P, 
hence  of  the  quantities 

„  iV* 
tin—k  | 

more  than  the  size  of  the  coefficients  themselves. 

Note  that  as  a  by-product  of  this  method,  we  sometimes  also  obtain  sub¬ 
fields  of  K.  It  is  absolutely  not  true  however  that  we  obtain  all  subfields  of  K 
in  this  way.  Indeed,  the  LLL  algorithm  gives  us  at  most  n  subfields,  while  the 
number  of  subfields  of  K  may  be  much  larger. 

The  algorithm,  which  we  name  POLRED  for  polynomial  reduction,  is  as 
follows  (see  [Coh-Diaz]). 

Algorithm  4.4.11  (POLRED).  Let  K  =  Q(6)  be  a  number  field  defined  by  a 
monic  irreducible  polynomial  P  €  Z[X].  This  algorithm  gives  a  list  of  polynomials 
defining  certain  subfields  of  K  (including  Q),  which  are  often  simpler  than  the 
polynomial  P  so  these  can  be  used  to  define  the  field  K  if  they  are  of  degree 
equal  to  the  degree  of  K. 

1.  [Compute  the  maximal  order]  Using  the  round  2  Algorithm  6.1.8  of  Chapter 

6,  compute  an  integral  basis  . ajn  as  polynomials  in  6. 

2.  [Compute  matrix]  If  the  field  K  is  totally  real  (which  can  be  easily  checked 
using  Algorithm  4.1.11),  set  mitj  <—  Tr(u/tCUj)  for  1  <  i,j  <  n,  which  will  be 
an  element  of  Z. 
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Otherwise,  using  Algorithm  3.6.6,  compute  a  reasonably  accurate  value  of  0 
and  its  conjugates  crj(0)  as  the  roots  of  P,  then  the  numerical  values  of  aj(uJk), 
and  finally  compute  a  reasonably  accurate  approximation  to 

mi,j  <-  2^  VkMvkiUj) 

1  <k<n 

(note  that  this  will  be  a  real  number). 

3.  [Apply  LLL]  Using  the  LLL  Algorithm  2.6.3  applied  to  the  inner  product  defined 

by  the  matrix  M  =  (rriij)  and  to  the  standard  basis  of  the  lattice  Zn,  compute 
an  LLL-reduced  basis  bi . bn. 

4.  [Compute  characteristic  polynomials]  For  1  <  i  <  n,  using  the  formulas  of 
Section  4.3,  compute  the  characteristic  polynomial  Ci  of  the  element  of  "Lk 
corresponding  to  b*  on  the  basis  u>i,  CU2,  ...  ,  c on. 

5.  [Compute  minimal  polynomials]  For  1  <  i  <  n,  set  Pi  Ci/{Ci,C[)  where 
the  GCD  is  always  normalized  so  as  to  be  monic,  and  is  computed  by  Euclid’s 
algorithm.  Output  the  polynomials  Pi  and  terminate  the  algorithm. 

From  what  we  have  seen  in  Section  4.3,  the  characteristic  polynomial  Ci  of 
an  element  x  G  'Lk  is  given  by  Ci  =  Pj*,  where  Pi  is  the  minimal  polynomial 
and  A;  is  a  positive  integer,  hence  Ci/ {Ci,  C')  =  Pi,  thus  explaining  step  5. 
In  fact,  to  avoid  ambiguities  of  sign  which  arise,  it  is  also  useful  to  make 
the  following  choice  at  the  end  of  the  algorithm.  For  each  polynomial  Pi,  set 
di  <—  deg  (Pi)  and  search  for  the  non-zero  monomial  of  largest  degree  d  such 
that  d^kdi  (mod  2).  If  such  a  monomial  exists,  make,  if  necessary,  the  change 
Pi(X)  <—  (— 1  )diPi(—X)  so  that  the  sign  of  this  monomial  is  negative. 

Let  us  give  an  example  of  the  use  of  the  POLRED  algorithm.  This  example 
is  taken  from  work  of  M.  Olivier.  Consider  the  polynomial 

T(X)  =  X6  +  2X5  -  7X4  -  12X3  +  10X2  +  17X  +  4 . 

Using  the  methods  of  Section  3.5,  one  easily  shows  that  this  polynomial  is  irre¬ 
ducible  over  Q,  hence  defines  a  number  field  K  of  degree  6.  Furthermore,  using 
Algorithm  3.6.6,  one  computes  that  the  complex  roots  of  T  are  approximately 
equal  to 

-  2.7494482169,  -1.7152399972,  -0.8531562311,  -0.3074682781, 

1.5839340557, 2.0413786677 . 

Using  the  methods  of  the  preceding  section,  it  is  then  easy  to  check  that  this 
field  has  no  proper  subfield  apart  from  Q. 

From  this  and  the  classification  of  transitive  permutation  groups  of  degree 
6  which  we  will  see  in  Section  6.3,  we  deduce  that  the  Galois  group  G  of  the 
Galois  closure  of  K  is  isomorphic  either  to  the  alternating  groups  As  or  Aq, 
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or  to  the  symmetric  groups  Sq  or  Sq.  Now  using  the  sub-resultant  Algorithm 
3.3.7  or  Proposition  3.3.5  one  computes  that 

disc(T)  =  116992 

so  by  Proposition  6.3.1,  we  have  G  c  Aq  hence  G  is  isomorphic  either  to  A5 
or  to  Aq. 

Distinguishing  between  the  two  is  done  by  using  one  of  the  resolvent  func¬ 
tions  given  in  Section  6.3,  and  the  resolvent  polynomial  obtained  is 

R(X)  =X6  +  3694X5  +  1246830X4  -  7355817976X3  -  5140929655107X2 

+  3486026298845999X  +  2593668315970494361. 

A  computation  of  the  roots  of  this  polynomial  shows  that  it  has  an  integer  root 
x  =—673,  and  the  results  of  Section  6.3  imply  that  G  is  isomorphic  to  Aq.  In 
addition,  Q{X)  =  R(X)/(X  +  673)  is  an  irreducible  fifth  degree  polynomial 
which  defines  a  number  field  with  the  same  discriminant  as  K.  We  have 

Q{X)  =  X5  +  3021  A4  -  786303X3  -  6826636057X2 

-  546603588746X  +  3853890514072057, 

and  the  discriminant  of  Q  (which  must  be  a  square  by  Proposition  6.3.1)  has 
63  decimal  digits.  Now  if  we  apply  the  POLRED  algorithm,  we  obtain  five 
polynomials,  four  of  which  define  the  same  field  as  Q,  and  the  polynomial 
with  the  smallest  discriminant  is 

S{X)  =X5-  2X4  -  13X3  +  37X2  -  21X  -  1, 

a  polynomial  which  is  much  more  appealing  than  Q  ! 

We  compute  that  disc(S)  =  116992,  hence  this  is  the  discriminant  of  the 
number  field  K  as  well  as  the  number  field  defined  by  the  polynomial  S. 

There  was  a  small  amount  of  cheating  in  the  above  example:  since  disc(Q) 
is  a  63  digit  number,  the  POLRED  algorithm,  which  in  particular  computes 
an  integral  basis  of  K  hence  needs  to  factor  disc(<3),  may  need  quite  a  lot 
of  time  to  factor  this  discriminant.  We  can  however  in  this  case  “help”  the 
POLRED  algorithm  by  telling  it  that  disc(Q)  is  a  square,  which  we  know  a 
priori,  but  which  is  not  usually  tested  for  in  a  factoring  algorithm  since  it  is 
quite  rare  an  occurrence.  This  is  how  the  above  example  was  computed  in 
practice,  and  the  whole  computation,  including  typing  the  commands,  took 
only  a  few  minutes  on  a  workstation. 

We  can  slightly  modify  the  POLRED  algorithm  so  as  to  obtain  a  defining 
polynomial  for  a  number  field  which  is  as  canonical  as  possible.  One  possibility 
is  as  follows. 

We  first  need  a  notation.  If  Q(X)  —  ]Co <i<n  aiXl  is  a  polynomial  of  degree 
n,  we  set 
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^(Q)  (|  disc(Q)|,  size(Q),  \o,n  ,  fln_i  >•••}  a  1  ,  ®o|)- 


Algorithm  4.4.12  (Pseudo-Canonical  Defining  Polynomial).  Given  a  num¬ 
ber  field  K  defined  by  a  monic  irreducible  polynomial  P  £  Z[X]  of  degree  n, 

this  algorithm  outputs  another  polynomial  defining  K  which  is  as  canonical  as 

possible. 

1.  [Apply  POLRED]  Apply  the  POLRED  algorithm  to  P,  and  let  Pi  (for  i  = 
1, . . .  ,n)  be  the  n  polynomials  which  are  output  by  the  POLRED  algorithm. 
If  none  of  the  Pi  are  of  degree  n,  output  a  message  saying  that  the  algorithm 
failed,  and  terminate  the  algorithm.  Otherwise,  let  £  be  the  set  of  i  such  that 
Pi  is  of  degree  n. 

2.  [Minimize  v(Pi )]  If  £  has  a  single  element,  let  Q  be  this  element.  If  not,  for  each 
i  £  £  compute  Vi  *—  v(Pi)  and  let  v  be  the  smallest  Vi  for  the  lexicographic 
ordering  of  the  components.  Let  Q  be  any  Pi  such  that  v(Pi)  =  v. 

3.  [Possible  sign  change]  Search  for  the  non-zero  monomial  of  largest  degree  d 
such  that  d^k  n  (mod  2).  If  such  a  monomial  exists,  make,  if  necessary,  the 
change  Q(X )  <—  (— l)nQ(— X)  so  that  the  sign  of  this  monomial  is  negative. 

4.  [Terminate]  Output  Q  and  terminate  the  algorithm. 

Remarks. 

(1)  The  algorithm  may  fail,  i.e.  the  POLRED  algorithm  may  give  only  poly¬ 
nomials  of  degree  less  than  n.  That  this  is  possible  in  principle  has  been 
shown  by  H.  W.  Lenstra  (private  communication),  but  in  practice,  on 
more  than  100000  polynomials  of  various  degree,  I  have  never  encoun¬ 
tered  a  failure.  It  seems  that  failure  is  very  rare. 

(2)  At  the  end  of  step  2  there  may  be  several  i  such  that  Vi  =  v.  In  that  case, 
it  may  be  useful  to  output  all  the  possibilities  (after  executing  step  3  on 
each  of  them)  instead  of  only  one.  In  practice,  this  is  also  uncommon. 

(3)  Although  Algorithm  4.4.12  makes  an  effort  towards  finding  a  polynomial 
defining  K  with  small  index  /  =  [Z#  :  Z[0]],  it  should  not  be  expected  that 
it  always  finds  a  polynomial  with  the  smallest  possible  index.  An  example 
is  the  polynomial  X3 —X2 —20X +9  which  naturally  defines  the  cyclic  cubic 
field  with  discriminant  612  (see  Theorem  6.4.6).  Algorithm  4.4.12  finds 
that  this  is  the  pseudo-canonical  polynomial  defining  the  cubic  field,  but  it 
has  index  equal  to  3,  while  for  example  the  polynomial  A3+12X2— 13X+3 
has  index  equal  to  1.  The  reason  for  this  behavior  is  that  the  notion  of 
“size”  of  a  polynomial  is  rather  indirectly  related  to  the  size  of  the  index. 
See  also  Exercise  8. 
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4.5  The  Subfield  Problem  and  Applications 

Let  K  =  Q(ck)  and  L  =  Q(/3)  be  number  fields  of  degree  m  and  n  respectively, 
and  let  A(X),  B(X)  €  Z[X]  be  the  minimal  polynomials  of  a  and  (3  respec¬ 
tively.  The  basic  subfield  problem  is  as  follows.  Determine  whether  or  not  K 
is  isomorphic  to  a  subfield  of  L,  or  in  more  down-to-earth  terms  whether  or 
not  some  conjugate  of  a  belongs  to  L.  We  could  of  course  ask  more  precisely  if 
a  itself  belongs  to  L,  and  we  will  see  that  the  answer  to  this  question  follows 
essentially  from  the  answer  to  the  apparently  weaker  one. 

We  start  by  two  fast  tests.  First,  if  K  is  conjugate  to  a  subfield  of  L,  then 
the  degree  of  K  clearly  must  divide  the  degree  of  L. 

The  second  test  follows  from  Corollary  4.4.9.  We  compute  d(A )  and  d(B) 
and  for  each  odd  prime  p  such  that  vp(d(A))  is  odd,  test  whether  or  not 
pTi/m  j  Note  that  according  to  Exercise  15,  it  is  not  necessary  to  assume 

that  A  and  B  are  monic,  i.e.  that  a  and  0  are  algebraic  integers. 

We  could  use  the  more  stringent  test  d(K)n/m  \  d(L)  using  Proposition 
4.4.8  directly,  but  this  requires  the  computation  of  field  discriminants,  hence 
essentially  of  integral  bases,  and  this  is  often  lengthy.  So,  we  do  not  advise 
using  this  more  stringent  test  unless  the  field  discriminants  can  be  obtained 
cheaply. 

We  therefore  assume  that  the  above  tests  have  been  passed  successfully. 
We  will  give  three  different  methods  for  solving  our  problem.  The  first  two 
require  good  approximations  to  the  complex  roots  of  the  polynomials  A  and 
B  (computed  using  for  example  Algorithm  3.6.6),  while  the  third  is  purely 
algebraic,  but  slower. 


4.5.1  The  Subfield  Problem  Using  the  LLL  Algorithm 

Let  /3  be  an  arbitrary,  but  fixed  root  of  the  polynomial  B  in  C.  If  K  is  conjugate 
to  a  subfield  of  L,  then  some  root  a*  of  A  is  of  the  form  P(0 )  for  some  P  €  Q[AT] 
of  degree  less  than  n.  In  other  words,  the  complex  numbers  1,  ,  0n~1,  cm 

are  Z-linearly  dependent.  To  check  this,  use  the  LLL  algorithm  or  one  of  its 
variations,  as  described  in  Section  2.7.2  on  each  root  of  A  (or  on  the  root 
we  are  specifically  interested  in  as  the  case  may  be).  Then  two  things  may 
happen.  Either  the  algorithm  gives  a  linear  combination  which  is  not  very 
small  in  appearance,  or  it  seems  to  find  something  reasonable.  The  reader  will 
notice  that  in  none  of  these  cases  have  we  proved  anything.  If,  however,  we 
are  in  the  situation  where  LLL  apparently  found  a  nice  relation,  this  can  now 
be  proved:  assume  the  relation  gives  cti  =  P{0)  for  some  polynomial  P  with 
rational  coefficients.  (Note  that  the  coefficient  of  ai  in  the  linear  combination 
which  has  been  found  must  be  non-zero,  otherwise  this  would  mean  that  the 
minimal  polynomial  of  0  is  not  irreducible.)  To  test  whether  this  relation  is 
true,  it  is  now  necessary  simply  to  check  that 


Ao  P  —  0  (mod  B), 
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where  A  and  B  are  the  minimal  polynomials  of  a  and  (3  respectively.  Indeed, 
if  this  is  true,  this  means  that  P{P)  is  a  root  of  A,  i.e.  a  conjugate  of  a *,  hence 
is  ai  itself  since  LLL  told  us  that  it  was  numerically  very  close  to  a*. 

To  compute  C  =  A  o  P  (mod  B),  we  use  a  form  of  Horner’s  rule  for 
evaluating  polynomials:  if  A{X)  =  0  a-iX1,  then  we  set  C  <—  am,  and  for 

i  =  m  —  1,  m  —  2, . . . ,  0  we  compute  C  <—  (a*  +  P(X)C  mod  B ). 

In  the  implausible  case  where  one  finds  that  Ao  P  jkO  (mod  B),  then  we 
must  again  test  for  linear  dependence  with  higher  precision  used  for  a*  and  (3. 

Remark.  There  is  a  better  way  to  test  whether  each  conjugate  a*  is  or  is  not 
a  Q-linear  combination  of  1,  /?,  ...  ,  (3n~l  than  to  apply  LLL  to  each  a*,  each 
time  LLL  reducing  an  (n  -j-  2)  x  (n  4-  1)  matrix  (or  equivalently  a  quadratic 
form  in  n  +  1  variables).  Indeed,  keeping  with  the  notations  of  Remark  (2)  at 
the  end  of  Section  2.7.2,  the  first  n  columns  of  that  matrix,  which  correspond 
to  the  powers  of  (3 ,  will  always  be  the  same.  Only  the  last  column  depends 
on  a.i.  But  in  LLL  reduction,  almost  all  the  work  is  spent  LLL  reducing  the 
first  n  columns,  the  n  4-  1-st  is  done  last.  Hence,  we  should  first  LLL  reduce 
the  (n  +  2)xn  matrix  corresponding  to  the  powers  of  (3.  Then,  for  each  ai  to 
be  tested,  we  can  now  start  from  the  already  reduced  basis  and  just  add  an 
extra  column  vector,  and  since  the  first  n  vectors  are  already  LLL  reduced, 
the  amount  of  work  which  remains  to  be  done  to  account  for  the  last  column 
will  be  very  small  compared  to  a  full  LLL  reduction.  We  leave  the  details  to 
the  reader. 

If  LLL  tells  us  that  apparently  there  is  no  linear  relation,  then  we  suspect 
that  a  <£  Q{P).  To  prove  it,  the  best  way  is  probably  to  apply  one  of  the  two 
other  methods  which  we  are  going  to  explain. 


4.5.2  The  Subfield  Problem  Using  Linear  Algebra  over  C 

A  second  method  is  as  follows  (I  thank  A.-M.  Berge  and  M.  Olivier  for  pointing 
it  out  to  me.)  After  clearing  denominators,  we  may  as  well  assume  that  a  and 
(3  are  algebraic  integers.  We  then  have  the  following. 

Proposition  4.5.1.  With  the  above  notations,  assume  that  a  and  (3  are  al¬ 
gebraic  integers.  Then  K  is  isomorphic  to  a  subfield  of  L  if  and  only  if  there 
exists  an  n/m  to  one  map  </>  from  [1,  n]  to  [1,  m]  such  that  for  1  <  h  <  n, 

1  <i<n 


where  the  otj  ( resp .  (3j)  denote  the  roots  of  A(X)  (resp.  of  B(X))  in  C. 

Proof.  Assume  first  that  K  is  isomorphic  to  a  subfield  of  L,  i.e.  that  a*  =  P((3 1) 
with  P  e  Q[AT]  say.  Then,  for  every  i,  P(Pi)  is  a  root  ctj  of  A(X)  =  0,  and 
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by  Galois  theory  each  cx.j  is  obtained  exactly  n/m  times.  Therefore  the  map 
i  i— >•  j  =  <j>(i)  is  n/m  to  one.  Furthermore, 

<*«.»$  =  E  P(0i)0i=T*L/<i(P(p)0h)eQ, 

l<i<n  l<i<n 

hence  G  Z  since  the  ctj  and  Pi  are  algebraic  integers. 

Conversely,  assume  that  for  some  4>  we  have  s/,GZ  for  all  h  such  that 
1  <  h  <  n.  Note  that  So  =  (n/m)  TY^/q^)  G  Z  follows  automatically. 
Consider  the  following  n  x  n  linear  system: 

^  Xj  Ttl/q (P3Ph)  =  Sh,  0  <  h  <  n. 

0  <j<n 

By  Proposition  4.4.4  (1)  the  determinant  of  this  system  is  equal  to  d(B),  hence 
is  non-zero.  Furthermore,  the  system  has  rational  coefficients,  so  the  unique 
solution  has  coefficients  x^gQ.  If  we  set  P(X)  =  ]Co<.?<n  xjX^ ,  we  then  have 
P  G  Q[X]  and  X)i<i<n  P(Pi)Pi  =  sh •  It  follows  that  the  vector  of  the  (P(fli)) 

and  of  the  Q!0(i)  are  both  solutions  of  the  linear  system  Si  <i<nviPi=slu 
and  since  the  Pi  are  distinct  this  system  has  a  unique  solution,  so  the  vect¬ 
ors  are  equal,  thus  proving  the  proposition.  □ 


Remarks. 

(1)  The  number  of  maps  from  [l,n]  to  [l,m]  which  are  n/m- to-one  is  equal 
to  n!/((n/m)!)m  hence  can  be  quite  large,  especially  when  m  =  n  (which 
corresponds  to  the  very  important  isomorphism  problem ).  This  is  to  be 
compared  to  the  number  of  trials  to  be  done  with  the  LLL  method,  which 
is  only  equal  to  m.  Hence,  although  LLL  is  slow,  except  when  n  is  very 
small  (say  n  <  4),  we  suggest  starting  with  the  LLL  method.  If  the  answer 
is  positive,  which  will  in  practice  happen  quite  often,  we  can  stop.  If  not, 
use  the  present  method  (or  the  purely  algebraic  method  which  is  explained 
below) . 

(2)  To  check  that  s^gZ  we  must  of  course  compute  the  roots  of  A(X )  and 
B(X)  sufficiently  accurately.  Now  however  the  error  estimates  are  trivial 
(compared  to  the  ones  we  would  need  using  LLL),  and  if  Sh  is  sufficiently 
far  away  from  an  integer,  it  is  very  easy  to  prove  rigorously  that  it  is  so. 

(3)  We  start  of  course  by  checking  whether  si  G  Z,  since  this  will  eliminate 
most  candidates  for  0. 

The  above  leads  to  the  following  algorithm. 

Algorithm  4.5.2  (Subfield  Problem  Using  Linear  Algebra).  Let  A(X)  and 
B(X)  be  primitive  irreducible  polynomials  in  Z[X]  of  degree  m  and  n  respectively 
defining  number  fields  K  and  L.  This  algorithm  determines  whether  or  not  K  is 
isomorphic  to  a  subfield  of  L,  and  if  it  is,  gives  an  explicit  isomorphism. 
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1.  [Trivial  check]  If  m\n,  output  NO  and  terminate  the  algorithm. 

2.  [Reduce  to  algebraic  integers]  Set  a  <—  i{A),  b  <—  £(B)  (the  leading  terms  of 
A  and  B),  and  set  A{X)  <-  am~lA{X/a )  and  B(X)  <-  b^BiX/b). 

3.  [Check  discriminants]  For  every  odd  prime  p  such  that  vp(d(A))  is  odd,  check 
thatpn/m  |  d(B)  (where  d(A)  and  d(B)  are  computed  using  Algorithm  3.3.7). 
If  this  is  not  the  case,  output  NO  and  terminate  the  algorithm.  If  for  some 
reason  d(K)  and  d(L)  are  known  or  cheaply  computed,  replace  these  checks 
by  the  single  check  d(K)n^rn  \  d(L). 

4.  [Compute  roots]  Using  Algorithm  3.6.6,  compute  the  complex  roots  a*  and 
Pi  of  A(X)  and  B(X)  to  a  reasonable  accuracy  (it  may  be  necessary  to  have 
more  accuracy  in  the  later  steps). 

5.  [Loop  on  4>)  For  each  n/m  to  one  map  <f>  from  [l,n]  to  [l,m]  execute  steps  6 
and  7.  If  all  the  maps  have  been  examined  without  termination  of  the  algorithm, 
output  NO  and  terminate  the  algorithm. 

6.  [Check  s i  E  Z]  Let  Si  <—  ^1<i<n  oc^Pi-  If  s \  is  not  close  to  an  integer  (this 
is  a  rigorous  statement,  since  itUepends  only  on  the  chosen  approximations  to 
the  roots),  take  the  next  map  <f>  in  step  5. 

Otherwise,  check  whether  Sh  <—  Yhi<i<na<t>{i)Pi  are  a'so  c'ose  t0  an 
integer  for  h  =  2, . . . ,  n  —  1.  As  soon  as  this  is  not  the  case,  take  the  next  map 
<p  in  step  5. 

7.  [Compute  polynomial]  (Here  the  Sh  are  all  close  to  integers.)  Set  Sh  *—  [s/i] 
(the  nearest  integer  to  s/*).  Compute  by  induction  tk  <—  Ttl/q(Pi)  for  0  < 
k  <  2n  —  2,  and  using  Algorithm  2.2.1  or  a  Gauss-Bareiss  variant,  find  the 
unique  solution  to  the  linear  system  I Zo<j<nxj^j+h  =  Sh  for  0  <  h  <  n  (note 
that  we  know  that  d(B)xj  E  Z  so  we  can  avoid  rational  arithmetic),  and  set 

8.  [Finished?]  Using  the  variant  of  Horner's  rule  explained  in  Section  4.5.1,  check 
whether  A(P(X))  =  0  (mod  B(X)).  If  this  is  the  case,  then  output  YES, 
output  also  the  polynomial  P(bX)/a  which  gives  the  isomorphism  explicitly, 
and  terminate  the  algorithm.  Otherwise,  using  Algorithm  3.6.6  (or,  even  more 
simply,  a  few  Newton  iterations  to  obtain  a  higher  precision)  recompute  the 
roots  ai  and  Pi  to  a  greater  accuracy  and  go  to  step  6. 


4.5.3  The  Subfield  Problem  Using  Algebraic  Algorithms 

The  third  solution  that  we  give  to  the  subfield  problem  is  usually  less  efficient 
but  has  the  advantage  that  it  is  guaranteed  to  work  without  worrying  about 
complex  approximations.  The  idea  is  to  use  Algorithm  3.6.4  which  factors 
polynomials  over  number  fields  and  the  following  easy  proposition  whose  proof 
is  left  to  the  reader  (Exercise  9). 

Proposition  4.5.3.  Let  a  and  p  be  algebraic  numbers  with  minimal  poly¬ 
nomials  A(X)  and  B(X)  respectively.  Set  K  =  Q(o),  L  =  Q(P),  and  let 
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A  =  riiciCp  be  a  factorization  of  A  into  irreducible  factors  in  L[X].  There 
is  a  one-to-one  correspondence  between  the  Ai  of  degree  equal  to  one  and  the 
conjugates  of  a  belonging  to  L.  In  particular,  L  contains  a  subfield  isomorphic 
to  K  if  and  only  if  at  least  one  of  the  A±  is  of  degree  equal  to  one. 

This  immediately  leads  to  the  following  algorithm.  Note  that  we  keep  the 
same  first  three  steps  of  the  preceding  algorithm. 

Algorithm  4.5.4  (Subfield  Problem  Using  Factorization  of  Polynomials). 
Let  A(X)  and  B(X )  be  primitive  irreducible  polynomials  in  Z[X ]  of  degree  m 
and  n  respectively  defining  number  fields  K  and  L.  This  algorithm  determines 
whether  or  not  K  is  isomorphic  to  a  subfield  of  L,  and  if  it  is,  gives  an  explicit 
isomorphism. 

1.  [Trivial  check]  If  m\n,  output  NO  and  terminate  the  algorithm. 

2.  [Reduce  to  algebraic  integers]  Set  a  <—  £(A),  b  *—  £(B)  (the  leading  terms  of 
A  and  B),  and  set  A(X)  <-  am-lA{X/a)  and  B(X)  bn~lB{X'/h). 

3.  [Check  discriminants]  For  every  odd  prime  p  such  that  vp(d(A))  is  odd,  check 
thatpn/m  |  d(B)  (where  d(A)  and  d(B)  are  computed  using  Algorithm  3.3.7). 
If  this  is  not  the  case,  output  NO  and  terminate  the  algorithm.  If  for  some 
reason  d(K)  and  d{L)  are  known  or  cheaply  computed,  replace  these  checks 
by  the  single  check  d(K)n/m  \  d{L). 

4.  [Factor  in  L[X]]  Using  Algorithm  3.6.4,  let  A  =  f]1<i<s  A*  be  a  factorization 
of  A  into  irreducible  factors  in  L[X\,  where  without  loss  of  generality  we  may 
assume  the  A*  monic. 

5.  [Conclude]  If  no  A*  is  of  degree  equal  to  1,  then  output  NO  otherwise  output 
YES,  and  if  we  write  Aj  =  X  —  gi(P)  where  (3  is  a  root  of  B  such  that 
L  =  Q(P),  output  also  the  polynomial  gi(bX)/a  which  gives  explicitly  the 
isomorphism.  Terminate  the  algorithm. 


Conclusion.  With  three  different  algorithms  to  solve  the  subfield  problem,  it 
is  now  necessary  to  give  some  practical  advice.  These  remarks  are,  of  course, 
also  valid  for  the  applications  of  the  subfield  problem  that  we  will  see  in  the 
next  section,  such  as  the  field  isomorphism  problem. 

1)  Start  by  executing  steps  1  to  3  of  Algorithm  4.5.2.  These  tests  are  fast 
and  will  eliminate  most  cases  when  K  is  not  isomorphic  to  a  subfield  of  L.  If 
these  tests  go  through,  there  is  now  a  distinct  possibility  that  the  answer  to 
the  subfield  problem  is  yes. 

2)  Apply  the  LLL  method  (using  the  remark  made  at  the  end).  This  is  also 
quite  fast,  and  will  give  good  results  if  K  is  indeed  isomorphic  to  a  subfield 
of  L.  Note  that  sufficient  accuracy  should  be  used  in  computing  the  roots  of 
A(X)  and  B(X)  otherwise  LLL  may  miss  a  dependency.  If  LLL  fails  to  detect 
a  relation,  then  especially  if  the  computation  has  been  done  to  high  accuracy 
it  is  almost  certain  that  K  is  not  isomorphic  to  a  subfield  of  L. 
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An  alternate  method  which  is  numerically  more  stable  is  to  use  Algorithm 
4.5.2.  However  this  algorithm  is  much  slower  than  LLL  as  soon  as  n  is  at  all 
large,  hence  should  be  used  only  for  these  very  small  values  of  n. 

3)  In  the  remaining  cases,  apply  Algorithm  4.5.4  which  is  slow  but  sure. 


4.5.4  Applications  of  the  Solutions  to  the  Subfield  Problem 

Now  that  we  have  seen  three  methods  for  solving  the  subfield  problem,  we  will 
see  that  this  problem  is  basic  for  the  solution  of  a  number  of  other  problems. 
For  each  of  these  other  problems,  we  can  then  choose  any  method  that  we  like 
to  solve  the  underlying  subfield  problem. 

The  Field  Membership  Problem. 

The  first  problem  that  we  can  now  solve  is  the  field  membership  problem. 
Given  two  algebraic  numbers  a  and  (3  by  their  minimal  polynomials  A  and 
B  and  suitable  complex  approximations,  determine  whether  or  not  a  e  Q((3) 
and  if  so  a  polynomial  P  €  Q[A]  such  that  a  =  P((3).  For  this,  apply  one  of 
the  three  methods  that  we  have  studied  for  the  subfield  problem.  Note  that 
some  steps  may  be  simplified  since  we  have  chosen  a  specific  complex  root  of 
A(X).  For  example,  if  we  use  LLL,  we  simply  check  the  linear  dependence 
of  a  and  the  powers  of  (3.  If  we  use  linear  algebra,  choosing  a  numbering  of 
the  roots  such  that  a  =  a\  and  (3  =  (3 1,  we  can  restrict  to  maps  <f>  such  that 
0(1)  =  1.  In  the  algebraic  method  on  the  other  hand  we  must  lengthen  step 
5.  For  every  Ai  =  X  —  gi{(3)  of  degree  one,  we  compute  gi{(3)  numerically  (it 
will  be  a  root  of  A(X))  and  check  whether  it  is  closer  to  a  than  to  any  other 
root.  If  this  occurs  for  no  2,  then  the  answer  is  NO,  otherwise  the  answer  is 
YES  and  we  output  the  correct  gi. 

The  Field  Isomorphism  Problem. 

The  second  problem  is  the  isomorphism  problem.  Given  two  number  fields 
K  and  L  as  before,  determine  whether  or  not  they  are  isomorphic.  This  is  of 
course  equivalent  to  K  and  L  having  the  same  degree  and  K  being  a  subfield 
of  L,  so  the  solution  to  this  problem  follows  immediately  from  that  of  the 
subfield  problem.  Since  this  problem  is  very  important,  we  give  explicitly  the 
two  algorithms  corresponding  to  the  last  two  methods  (the  LLL  method  can 
of  course  also  be  used).  For  still  another  method,  see  [Poh3]. 

Algorithm  4.5.5  (Field  Isomorphism  Using  Linear  Algebra).  Let  A(X)  and 
B(X)  be  primitive  irreducible  polynomials  in  Z[X ]  of  the  same  degree  n  defining 
number  fields  K  and  L.  This  algorithm  determines  whether  or  not  K  is  isomorphic 
to  L,  and  if  it  is,  gives  an  explicit  isomorphism. 

1.  [Reduce  to  algebraic  integers]  Set  a  <—  t{A),  b  <—  £(B)  (the  leading  terms  of 
A  and  B ),  and  set  A(X)  ^  an~lA(X/a)  and  B(X)  bn~lB{X/b). 

2.  [Check  discriminants]  Compute  d(A)  and  d(B)  using  Algorithm  3.3.7),  and 
check  whether  d(A)fd(B)  is  a  square  in  Q  using  essentially  Algorithm  1.7.3. 
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If  this  is  not  the  case,  output  NO  and  terminate  the  algorithm.  If  for  some 
reason  d(K)  and  d(L )  are  known  or  cheaply  computed,  replace  this  check  by 
d{K)  =  d(L). 

3.  [Compute  roots]  Using  Algorithm  3.6.6,  compute  the  complex  roots  a*  and 
Pi  of  A(X )  and  B(X )  to  a  reasonable  accuracy  (it  may  be  necessary  to  have 
more  accuracy  in  the  later  steps). 

4.  [Loop  on  <j>\  For  each  permutation  (f>  of  [l,n]  execute  steps  5  and  6.  If  all 
the  permutations  have  been  examined  without  termination  of  the  algorithm, 
output  NO  and  terminate  the  algorithm. 

5.  [Check  si  £  Z]  Let  Si  <—  Yh<i<na<t>(i)Pi-  ^ si 's  not  c'ose  t0  an  'nteger  (this 
is  a  rigorous  statement,  since  it  depends  only  on  the  chosen  approximations  to 
the  roots),  take  the  next  permutation  (f>  in  step  4. 

Otherwise,  check  whether  Sh  <—  Y^\<i<na<t>(i)Pi  are  a'so  cl°se  to  an 
integer  for  h  =  2, . . .  ,n  —  1.  As  soon  as  this  is  not  the  case,  take  the  next  map 
0  in  step  4. 

6.  [Compute  polynomial]  (Here  the  Sh  are  all  close  to  integers.)  Set  Sh  <— 

(the  nearest  integer  to  s^).  Compute  by  induction  tk  <—  Tt^/q (Pi)  for  0  < 
k  <  2n  —  2,  and  using  Algorithm  2.2.1  or  a  Gauss-Bareiss  variant,  find  the 
unique  solution  to  the  linear  system  Z)o<j<n  xjtj+h  =  s/i  for  0  <  h  <  n. 
(We  know  that  d{B)xj  £  Z,  so  we  can  avoid  rational  arithmetic.)  Now  set 

P(X)  -  Eo 

7.  [Finished?]  Using  the  variant  of  Horner's  rule  explained  in  Section  4.5.1,  check 
whether  A(P(X))  =  0  (mod  B(X)).  If  this  is  the  case,  then  output  YES,  and 
also  output  the  polynomial  P(bX)/a  which  gives  the  isomorphism  explicitly, 
and  terminate  the  algorithm.  Otherwise,  using  Algorithm  3.6.6  recompute  the 
roots  oti  and  Pi  to  a  greater  accuracy  and  go  to  step  5. 


Algorithm  4.5.6  (Field  Isomorphism  Using  Polynomial  Factorization).  Let 
A(X)  and  B(X)  be  primitive  irreducible  polynomials  in  Z[X ]  of  the  same  degree 
n  defining  number  fields  K  and  L.  This  algorithm  determines  whether  or  not  K 
is  isomorphic  to  L,  and  if  it  is,  gives  an  explicit  isomorphism. 

1.  [Reduce  to  algebraic  integers]  Set  a  <—  £( A ),  b  <—  £(B)  (the  leading  terms  of 
A  and  B ),  and  set  A(X)  <-  an~lA{X/a)  and  B{X)  <-  bn~'B{X/b). 

2.  [Check  discriminants]  Compute  d(A)  and  d(B)  using  Algorithm  3.3.7),  and 
check  whether  d(A)/d(B)  is  a  square  in  Q  using  a  slightly  modified  version  of 
Algorithm  1.7.3.  If  this  is  not  the  case,  output  NO  and  terminate  the  algorithm. 
If  for  some  reason  d(K)  and  d(L)  are  known  or  cheaply  computed,  check 
instead  that  d{K)  =  d(L). 

3.  [Factor  in  T[X]]  Using  Algorithm  3.6.4,  let  A  =  Ai  be  a  factorization 

of  A  into  irreducible  factors  in  L[X],  where  without  loss  of  generality  we  may 
assume  the  Ai  monic. 

4.  [Conclude]  If  no  Ai  has  degree  equal  to  1,  then  output  NO  otherwise  output 
YES,  and  if  we  write  Ai  =  X  —  gi(P)  where  P  is  a  root  of  B  such  that 
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L  =  Q{(3),  also  output  the  polynomial  gi(bX)/a  which  explicitly  gives  the 
isomorphism.  Terminate  the  algorithm. 

For  the  field  isomorphism  problem,  there  is  a  different  method  which  works 
sufficiently  often  that  it  deserves  to  be  mentioned.  We  have  seen  that  Algo¬ 
rithm  4.4.12  gives  a  defining  polynomial  for  a  number  field  which  is  almost 
canonical.  Hence,  if  we  apply  this  algorithm  to  two  polynomials  A  and  B ,  then, 
if  the  corresponding  number  fields  are  isomorphic,  there  is  a  good  chance  that 
the  polynomials  output  by  Algorithm  4.4.12  will  be  the  same.  If  they  are  the 
same,  this  proves  that  the  fields  are  isomorphic  (and  we  can  easily  recover 
explicitly  the  isomorphism  if  desired).  If  not,  it  does  not  prove  anything,  but 
we  can  expect  that  they  are  not  isomorphic.  We  must  then  apply  one  of  the 
rigorous  methods  explained  above  to  prove  this. 

The  Primitive  Element  Problem. 

The  last  application  of  the  subfield  problem  that  we  will  see  is  to  the  prim¬ 
itive  element  problem.  This  is  as  follows.  Given  algebraic  numbers  ai, . . . ,  am, 
set  K  =  Q(ai, . . .  ,am).  Then  if  is  a  number  field,  hence  it  is  reasonable 
(although  not  always  absolutely  necessary,  see  [Duv])  to  represent  if  by  a 
primitive  element  0,  i.e. 

if  =  Q(alt . .  .am)  =  Q(0)  =-  Q[X]/(T(X)Q[X]), 

where  T  is  the  minimal  polynomial  of  9.  Hence,  we  need  an  algorithm  which 
finds  such  a  T  (which  is  not  unique)  given  ai, . . .  ,am.  We  can  do  this  by 
induction  on  m,  and  the  problem  boils  down  to  the  following:  Given  a  and  j3 
by  their  minimal  polynomials  A  and  B  (and  suitable  complex  approximations), 
find  a  monic  irreducible  polynomial  T  eZ[X]  such  that 

Q(a,j3)  =  Q(9),  where  T(0)  =  0. 

We  can  use  the  solution  to  the  subfield  problem  to  solve  this.  According 
to  the  proof  of  the  primitive  element  theorem  (see  [Langl]),  we  can  take 
9  =  hoc  +  (3  for  a  small  integer  k,  and  Q(a:,  (3)  =  Q (ka  4-  (3)  is  equivalent 
to  a  €  Q(ka  +  (3)  which  can  be  checked  using  one  of  the  algorithms  explained 
above  for  the  field  membership  problem. 


4.6  Orders  and  Ideals 


4.6.1  Basic  Definitions 


Definition  4.6.1.  An  order  R  in  K  is  a  subring  of  K  which  as  a  X-module 
is  finitely  generated  and  of  maximal  rank  n  =  deg(if)  (note  that  we  use  the 
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“modem”  definition  of  a  ring,  which  includes  the  existence  of  the  multiplicative 
identity  1). 

Proposition  4.1.3  shows  that  every  element  of  an  order  R  is  an  algebraic 
integer,  i.e.  that  R  C  7Lk-  We  will  see  that  the  ring  theory  of  Z k  is  nicer  than 
that  of  an  arbitrary  order  R,  but  for  the  moment  we  let  R  be  an  arbitrary  order 
in  a  number  field  K.  We  emphasize  that  some  of  the  properties  mentioned  here 
are  specific  to  orders  in  number  fields,  and  are  not  usually  valid  for  general 
base  rings. 

Definition  4.6.2.  An  ideal  I  of  R  is  a  sub-R-module  of  R,  i.e.  a  sub-Z- 
module  of  R  such  that  for  every  r  E  R  and  i  E  I  we  have  ri  E  I. 


Note  that  the  quotient  module  K/l  has  a  canonical  quotient  ring  structure. 
In  fact  we  have: 


Proposition  4.6.3.  Let  I  be  a  non-zero  ideal  of  R.  Then  I  is  a  module  of 
maximal  rank.  In  other  words,  R/I  is  a  finite  ring.  Its  cardinality  is  called  the 
norm  of  I  and  denoted  M (I). 

Indeed,  if  i  E  /  with  i  ^  0,  then  iR  C  I  C  R,  proving  the  proposition.  □ 


If  I  is  given  by  its  HNF  on  a  basis  of  R  (or  simply  by  any  matrix  A ) ,  then 
Proposition  4.7.4  shows  that  the  norm  of  I  is  simply  the  absolute  value  of  the 
determinant  of  A. 

Ideals  can  be  added  (as  modules),  and  the  sum  of  two  ideals  is  clearly 
again  an  ideal.  Similarly,  the  intersection  of  two  ideals  is  an  ideal.  Ideals  can 
also  be  multiplied  in  the  following  way:  if  I  and  J  are  ideals,  then 


IJ=  < 


Yxm,  where  XiEl  and 


v  i 


Again,  it  is  clear  that  this  is  an  ideal.  Note  that  we  clearly  have  the  inclusions 


UclnJcIcl  +  J, 

(and  similarly  with  J),  and  IR  =  I  for  all  ideals  I.  It  is  clearly  not  always 
true  that  IJ  =  I D  J  (take  /  =  J  —  pZ  in  Z).  We  have  however  the  following 
easy  result. 


Proposition  4.6.4.  Let  I  and  J  be  two  ideals  in  R  and  assume  that  I  +  J  = 
R.  (It  is  then  reasonable  to  say  that  I  and  J  are  coprime. )  Then  we  have  the 
equality  IJ  =  I  C\  J. 

Proof.  Since  IJ  C  ID  J  we  need  to  prove  only  the  reverse  inclusion.  But  since 
I  +  J  =  R,  there  exists  o  E  I  and  b  E  J  such  that  a  +  b  =  1.  If  x  E  I  (1  J  it 
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follows  that  x  =  ax  +  bx  and  clearly  ax  €  IJ  and  bx  G  JI  —  IJ  thus  proving 
the  proposition.  □ 


Definition  4.6.5.  A  fractional  ideal  I  in  R  is  a  non-zero  submodule  of  K 
such  that  there  exists  a  non-zero  integer  d  with  dl  ideal  of  R.  An  ideal  (frac¬ 
tional  or  not)  is  said  to  be  a  principal  ideal  if  there  exists  x  G  K  such  that 
I  —  xR.  Finally,  R  is  a  principal  ideal  domain  (PID )  if  R  is  an  integral  do¬ 
main  ( this  is  already  satisfied  for  orders )  and  if  every  ideal  of  R  is  a  principal 
ideal. 


It  is  clear  that  if  I  is  a  fractional  ideal,  then  I  C  R  if  and  only  if  I  is  an 
ideal  of  R,  and  we  will  then  say  that  I  is  an  integral  ideal. 

Note  that  the  set-theoretic  inclusions  seen  above  remain  valid  for  fractional 
ideals,  except  for  the  one  concerning  the  product.  Indeed,  if  I  and  J  are  two 
fractional  ideals,  one  does  not  even  have  IJ  C  I  in  general:  take  I  =  R,  and 
J  a  non-integral  ideal. 

Definition  4.6.6.  Let  I  be  a  fractional  ideal  of  R.  We  will  say  that  I  is 
invertible  if  there  exists  a  fractional  ideal  J  of  R  such  that  R  =  I J .  Such  an 
ideal  J  will  be  called  an  inverse  of  I. 

The  following  lemma  is  easy  but  crucial. 

Lemma  4.6.7.  Let  I  be  a  fractional  ideal,  and  set 

I'  =  {xe  K,  xl  C  R}. 

Then  I  is  invertible  if  and  only  if  IP  =  R.  Furthermore  if  this  equality  is  true, 
then  I'  is  the  unique  inverse  of  I  and  is  denoted  I~l. 

The  proof  is  immediate  and  left  to  the  reader.  □ 

Remark.  It  is  not  true  in  general  that  ff(IJ)  =  J\f(I)Af(J).  For  example, 
let  uj  =  (1  +  \/^7)/2,  take  R  =  Z  +  and  I  —  J  —  3Z  4-  3u;Z.  Then 
one  immediately  checks  that  M(I)  =  3,  but  M{I2)  =  27.  As  the  following 
proposition  shows,  the  equality  ff(IJ)  =  J\f(I)ff(J)  is  however  true  when 
either  I  or  J  is  an  invertible  ideal  in  R,  and  in  particular,  it  is  always  true 
when  R  —  Z#  is  the  maximal  order  of  K  (see  Section  4.6.2  for  the  relevant 
definitions). 

Proposition  4.6.8.  Let  R  be  an  order  in  a  number  field,  and  let  I  and  J 
be  two  integral  ideals  of  R.  If  either  I  or  J  is  invertible,  we  have  J\f{IJ)  = 
Af(I)M(J). 
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Proof.  (This  proof  is  due  to  H.  W.  Lenstra.)  Assume  for  example  that  I  is 
invertible.  We  will  prove  more  generally  that  if  J  C  H  where  J  and  H  are 
ideals  of  R,  then  [IH  :  I  J]  —  [H  :  J].  With  H  =R,  this  gives  [I :  I  J]=  [R:  J] 
hence  Af(IJ)  =  [R  :  IJ]  =  [R  :  I][I  :  I  J]  =  A f(I)Af(J)  thus  proving  the 
proposition. 

Let  us  temporarily  say  that  a  pair  of  ideals  (J,H)  is  a  simple  pair  if 
[if:  J]  >  1  and  if  there  are  no  ideals  containing  J  and  contained  in  H  apart 
from  H  and  J  themselves. 

We  prove  the  equality  [IH  :  I  J]  =  [H  :  J]  by  induction  on  [ H  :  J].  For 
H  =  J  it  is  trivial,  hence  assume  by  induction  that  [H  :  J]  >  1  and  that  the 
proposition  is  true  for  any  pair  of  ideals  such  that  [H‘ ' :  J ']  <  [H  :  J].  Assume 
that  (J,  H )  is  not  a  simple  pair,  and  let  Hi  be  an  ideal  between  J  and  H  and 
distinct  from  both.  By  our  induction  hypothesis  we  have  [IH  :  I  Hi ]  =  [H  :  Hi] 
and  [I Hi  :  IJ]  =  [Hi  :  J]  hence  [IH  :  IJ]  =  [H  :  J]  thus  proving  the 
proposition  in  that  case. 

Assume  now  that  (J,  if)  is  a  simple  pair.  Then  (IJ,  IH)  is  also  a  simple 
pair  since  /  is  an  invertible  ideal  (in  fact  multiplication  by  I  gives  a  one-to-one 
map  from  the  set  of  ideals  between  J  and  H  onto  the  set  of  ideals  between 
IJ  and  IH).  Now  we  have  the  following  lemma. 

Lemma  4.6.9.  If  (J,  H)  is  a  simple  pair ,  then  there  exists  an  isomorphism 
of  R-modules  from  H/J  to  R/M  for  some  maximal  ideal  M  of  R.  (Recall  that 
M  is  a  maximal  ideal  if  and  only  if  ( M,R )  is  a  simple  pair.) 

Indeed,  let  x  €  H  \  J.  The  ideal  xR  +  J  is  between  J  and  H  but  is  not 
equal  to  J,  hence  H  =  xR  +  J.  This  immediately  implies  that  the  map  from 
R  to  H/J  which  sends  a  to  the  class  of  ax  modulo  J  is  a  surjective  R-linear 
map.  Call  M  its  kernel,  which  is  an  ideal  of  R.  Then  by  definition  R/M  is 
isomorphic  to  H/J  and  since  (J,H)  is  a  simple  pair  it  follows  that  ( M,R )  is 
a  simple  pair,  in  other  words  that  M  is  a  maximal  ideal  of  R,  thus  proving 
the  lemma.  □ 

Resuming  the  proof  of  the  proposition,  we  see  that  H/J  is  isomorphic  to 
R/M  and  IH/IJ  is  isomorphic  to  R/M'  for  some  maximal  ideals  M  and  M' . 
By  construction,  MH  C  J  hence  MIH  C  IJ,  so  M  annihilates  IH/IJ  hence 
M  C  M' .  Since  M  and  M'  are  maximal  ideals  (or  since  I  is  invertible),  it 
follows  that  M  —M',  hence  that  [IH :  IJ]  =  Af(M')  =  Af(M)  =  [H :  J]  thus 
showing  the  proposition.  □ 

Definition  4.6.10.  An  ideal  p  of  R  is  called  a  prime  ideal  if  p  ^  R  and  if 
the  quotient  ring  Rfp  is  an  integral  domain  (in  other  words  if  xy  €  p  implies 
x  6  p  or  y  G  p).  The  ideal  p  is  maximal  if  the  quotient  ring  R/p  is  a  field. 

It  is  easy  to  see  that  an  ideal  p  is  maximal  if  and  only  if  p  ^  R  and  if 
the  only  ideals  I  such  that  p  c  I  C  R  are  p  and  R,  in  other  words  if  (p,  R) 
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form  a  simple  pair  in  the  language  used  above.  Furthermore,  it  is  clear  that  a 
maximal  ideal  is  prime.  In  number  fields,  the  converse  is  essentially  true: 

Proposition  4.6.11.  Let  p  be  a  non-zero  prime  ideal  in  R.  Then  p  is  maxi¬ 
mal.  (Here  it  is  essential  that  R  be  an  order  in  a  number  field.) 

Indeed,  to  say  that  p  is  a  prime  ideal  is  equivalent  to  saying  that  for  every 
x  ^  p  the  maps  y  xy  modulo  p  are  injections  from  A/p  into  itself.  Since 
A/p  is  finite,  these  maps  are  also  bijections,  hence  A/p  is  a  field.  □ 

Note  that  {0}  is  indeed  a  prime  ideal,  but  is  not  maximal.  It  will  always 
be  excluded,  even  when  this  is  not  explicitly  mentioned. 

The  reason  why  prime  ideals  are  called  “prime”  is  that  the  prime  ideals  of 
Z  are  {0},  and  the  ideals  pZ  for  p  a  prime  number.  Prime  ideals  also  satisfy 
some  of  the  properties  of  prime  numbers.  Specifically: 

Proposition  4.6.12.  If  p  is  a  prime  ideal  and  p  D  h  •  •  •  Ik>  where  the  Ii  are 
ideals ,  then  there  exists  an  i  such  that  p  D  R. 

Proof.  By  induction  on  k  it  suffices  to  prove  the  result  for  k  =  2.  Assume  that 
p  D  IJ  and  p  7 SI  and  p  J.  Then  there  exists  x  G  I  such  that  x  p,  and 
y  €  J  such  that  y  £  p.  Since  p  is  a  prime  ideal,  xy  £  p,  but  clearly  xy  €  IJ, 
contradiction.  □ 

If  we  interpret  I  D  J  as  meaning  I  |  J,  this  says  that  if  p  divides  a  product 
of  ideals,  it  divides  one  of  the  factors.  Although  it  is  quite  tempting  to  use  the 
notation  I  |  J,  one  should  be  careful  with  it  since  it  is  not  true  in  general  that 
I  |  J  implies  that  there  exists  an  ideal  /'  such  that  J  =  II' .  As  we  will  see, 
this  will  indeed  be  true  if  R  =  Z k,  and  in  this  case  it  makes  perfectly  good 
sense  to  use  that  notation. 

A  variant  of  the  above  mentioned  phenomenon  is  that  it  is  not  true  for 
general  orders  R  that  every  ideal  is  a  product  of  prime  ideals.  What  is  always 
true  is  that  every  (non-zero)  ideal  contains  a  product  of  (non-zero)  prime 
ideals.  When  R  =  7Lk  however,  we  will  see  that  everything  we  want  is  true  at 
the  level  of  ideals. 

Proposition  4.6.13.  If  R  is  an  order  in  a  number  field  (or  more  generally 
a  Noetherian  integral  domain ),  any  non-zero  integral  ideal  I  in  R  contains  a 
product  of  ( non-zero )  prime  ideals. 

This  is  easily  proved  by  Noetherian  induction  (see  Exercise  11). 

An  important  notion  which  is  weaker  than  that  of  PID  but  almost  as 
useful  is  that  of  a  Dedekind  domain.  This  is  by  definition  a  Noetherian  integral 
domain  R  such  that  every  non-zero  prime  ideal  is  maximal,  and  which  is 
integrally  closed.  This  last  condition  means  that  if  x  is  a  root  of  a  monic 
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polynomial  equation  with  coefficients  in  R  and  if  x  is  in  the  field  of  fractions 
of  R,  then  in  fact  x  £  R.  This  is  for  example  the  case  of  R  =  Z. 

When  R  is  an  order  in  a  number  field,  all  the  conditions  are  satisfied 
except  that  R  must  also  be  integrally  closed.  Since  Rd  Z,  it  is  clear  that  if  R 
is  integrally  closed  then  R  =  Z k  ,  and  the  converse  is  also  true  by  Proposition 
4.1.5.  Hence  the  only  order  in  K  which  is  a  Dedekind  domain  is  the  ring  of 
integers  Z k-  Since  we  know  that  every  order  R  is  a  subring  of  Z k,  we  will 
also  call  Z#  the  maximal  order  of  K. 

We  now  specialize  to  the  case  where  R  —  %k- 


4.6.2  Ideals  of  Z k 

In  this  section,  fix  R  =  Z k-  Let  J (K)  be  the  set  of  fractional  ideals  of  Z k- 
We  summarize  the  main  properties  of  Z^-ideals  in  the  following  theorem: 

Theorem  4.6.14. 

(1)  Every  fractional  ideal  ofLK  is  invertible.  In  other  words,  if  I  is  a  fractional 
ideal  and  if  we  set  7-1  =  {x  £  K,xl  C  Z k},  then  II~ 1  =  Z k- 

(2)  The  set  of  fractional  ideals  ofZ k  is  an  Abelian  group. 

(3)  Every  fractional  ideal  I  can  be  written  in  a  unique  way  as 

i=Y[pm,\ 

p 

the  product  being  over  a  finite  set  of  prime  ideals,  and  the  exponents  vp  (I) 
being  in  Z.  In  particular,  I  is  an  integral  ideal  (i.e.  I  C  Z k)  if  and  only 
if  all  the  vp(I)  are  non-negative. 

(4)  The  maximal  order  Z k  is  a  PID  if  and  only  if  it  is  a  UFD. 


Hence  the  ideals  of  7Lk  behave  exactly  as  the  numbers  in  Z,  and  can  be 
handled  in  the  same  way.  Note  that  (3)  is  much  stronger  than  Proposition 
4.6.13,  but  is  valid  only  because  Z k  is  also  integrally  closed. 

The  quantity  up(7)  is  called  the  p-adic  valuation  of  I  and  satisfies  the  usual 
properties: 

(1)  I  C  Z k  up(7)  0  for  all  prime  ideals  p. 

(2)  J  C  I  <==>  vp(I)  <  vp(J)  for  all  prime  ideals  p. 

(3)  ^ (I  +  J )  =  min(up(J),Up(J)). 

(4)  up  (I  n  J)  =  max(up(J),Up(J)). 

(5)  Up  (/ J)  =  Up  (7)  +  Up  ( J) . 

Hence  the  dictionary  between  fractional  ideals  and  rational  numbers  is  as 
follows: 

Fractional  ideals  < — ►  (non-zero)  rational  numbers. 
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Integral  ideals  < — >  integers. 

Inclusion  < — ►  divisibility  (with  the  reverse  order). 

Sum  < — ►  greatest  common  divisor. 

Intersection  < — ►  least  common  multiple. 

Product  < — ►  product. 

Of  course,  a  few  of  these  notions  could  be  unfamiliar  for  rational  num¬ 
bers,  for  example  the  GCD,  but  a  moment’s  thought  shows  that  one  can  give 
perfectly  sensible  definitions. 

We  end  this  section  with  the  notion  of  norm  of  a  fractional  ideal.  We 
have  seen  in  Proposition  4.6.3  that  for  an  integral  ideal  I  the  norm  of  I 
is  the  cardinality  of  the  finite  ring  R/I.  As  already  mentioned,  a  corollary 
of  Theorem  4.6.14  is  that  A f(IJ)  =  Af(I)Af{J)  for  ideals  /  and  J  of  the 
maximal  order  R  =  Z#  (recall  that  this  is  false  in  general  if  R  is  not  maximal). 
This  allows  us  to  extend  the  definition  of  Af(I)  to  fractional  ideals  if  desired: 
any  fractional  ideal  I  can  be  written  as  a  quotient  of  two  integral  ideals,  say 
I  =  P/Q  (in  fact  by  definition  we  can  take  Q  =  dR  where  d  is  an  integer) ,  and 
we  define  A f(I)  =  Af(P)/ Af(Q).  It  is  easy  to  check  that  this  is  independent  of 
the  choice  of  P  and  Q  and  that  it  is  still  multiplicative  (Af(IJ)  =  Af(I)  Af(J)). 
Of  course,  usually  it  will  no  longer  be  an  integer. 

The  notion  of  norm  of  an  ideal  is  linked  to  the  notion  of  norm  of  an  element 
that  we  have  seen  above  in  the  following  way: 

Proposition  4.6.15.  Let  x  be  a  non-zero  element  ofK.  Then 

\Nk/q{x)\  =A/*(xZic), 

in  other  words  the  norm  of  a  principal  ideal  of  Z k  is  equal  to  the  absolute 
value  of  the  norm  (in  K)  of  a  generating  element. 

One  should  never  forget  this  absolute  value.  We  could  in  fact  have  a  nicer 
looking  proposition  (without  absolute  values)  by  using  a  slight  extension  of 
the  notion  of  fractional  ideal:  because  of  Theorem  4.6.14  (3),  the  group  of 
fractional  ideals  can  be  identified  with  the  free  Abelian  group  generated  by 
the  prime  ideals  p.  Furthermore,  a  number  field  K  has  places ,  corresponding  to 
equivalence  classes  of  valuations.  The  finite  places,  which  correspond  to  non- 
Archimedean  valuations,  can  be  identified  with  the  (non-zero)  prime  ideals  of 
Tjr  .  The  other  (so  called  infinite  places)  correspond  to  Archimedean  valuations 
and  can  be  identified  with  the  embeddings  <jj  of  K  in  C,  with  a  identified  with 
d  (thus  giving  74  +  r-i  Archimedean  valuations) .  Hence,  we  can  consider  the 
extended  group  which  is  the  free  Abelian  group  generated  by  all  valuations, 
finite  or  not.  One  can  show  that  to  obtain  a  sensible  definition,  the  coefficients 
of  the  non-real  complex  embeddings  must  be  considered  modulo  1 ,  i.e.  can  be 
taken  equal  to  0,  and  the  coefficients  of  the  real  embeddings  must  be  considered 
modulo  2  (I  do  not  give  the  justification  for  these  claims).  Hence,  the  group 
of  generalized  fractional  ideals  is 
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Z\V(K)\  x  {±ip, 

where  V{K)  is  the  set  of  non-zero  prime  ideals.  The  norm  of  such  a  generalized 
ideal  is  then  the  norm  of  its  finite  part  multiplied  by  the  infinite  components 
(i.e.  by  a  sign).  Now  if  x  €  K,  the  generalized  fractional  ideal  associated  to 
x  is,  on  the  finite  part  equal  to  xZ k,  and  on  the  infinite  place  <7;  (where 
1  <  i  <  ri)  equal  to  the  sign  of  cri(x).  It  is  then  easy  to  check  that  these  two 
notions  of  norm  now  correspond  exactly,  including  sign. 

The  discussion  above  was  meant  as  an  aside,  but  is  the  beginning  of  the 
theory  of  adeles  and  ideles  (see  [Lang2]).  In  a  down  to  earth  way,  we  can  say 
that  most  natural  questions  concerning  number  fields  should  treat  together 
the  Archimedean  and  non- Archimedean  places  (or  primes).  In  addition  to  the 
present  example,  we  have  already  mentioned  the  parallel  between  Proposi¬ 
tions  4.1.14  and  4.8.6.  Similarly,  we  will  see  Propositions  4.8.11  and  4.8.10. 
Maybe  the  most  important  consequence  is  that  we  will  have  to  compute  si¬ 
multaneously  class  groups  (i.e.  the  non- Archimedean  part)  and  regulators  (the 
Archimedean  part),  see  Sections  4.9,  5.9  and  6.5. 


4.7  Representation  of  Modules  and  Ideals 

4.7.1  Modules  and  the  Hermite  Normal  Form 

As  before,  we  work  in  a  fixed  number  field  K  of  degree  n,  given  by  K  =  Q($), 
where  6  is  an  algebraic  integer  whose  minimal  monic  polynomial  is  denoted 
T(X). 

Definition  4.7.1.  A  module  in  K  is  a  finitely  generated  sub-Z-module  of  K 
of  rank  exactly  equal  to  n. 


Since  Z  is  a  PID,  such  a  module  being  torsion  free  and  finitely  generated, 
must  be  free.  Let  w i,  . . .  ,  un  be  a  Z-basis  of  M.  The  numbers  u>i  are  elements 
of  K,  hence  we  can  find  an  integer  d  such  that  du>i  €  Z [9]  for  all  i.  The  least 
such  positive  d  will  be  called  the  denominator  of  M  with  respect  to  Z [6\. 
More  generally,  if  R  is  another  module  (for  example  R  =  Z k),  we  define  the 
denominator  of  M  with  respect  to  R  as  the  smallest  positive  d  such  that 
dM  C  R . 

Note  that  in  the  context  of  number  fields,  the  word  “module”  will  always 
have  the  above  meaning,  in  other  words  it  will  always  refer  to  a  submodule  of 
maximal  rank  n.  If  as  a  Q- vector  space  we  identify  K  =  Q(0)  with  Qn,  and 
Z[9\  with  Zn,  the  above  definition  is  the  same  as  the  one  that  we  have  given 
in  Section  2.4.3.  In  particular,  we  can  use  the  notions  of  determinant,  HNF 
and  SNF  of  modules. 

We  give  the  following  proposition  without  proof. 
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Proposition  4.7.2.  Let  M  be  a  module  in  a  number  field  K  in  the  above 
sense.  Then  there  exists  an  order  R  in  K  and  a  positive  integer  d  such  that 
dM  is  an  ideal  of  R.  More  precisely,  there  is  a  maximal  such  R  equal  to 
R  =  {x  €  K,xM  C  M},  and  one  can  take  for  d  the  denominator  of  M  with 
respect  to  R. 


Specializing  to  our  case  the  results  of  Section  2.4.2,  we  obtain: 


Theorem  4.7.3.  Let  ati,  . . .  ,  an  be  n  X-linearly  independent  elements  of 
K,  and  R  be  the  module  which  they  generate.  Then  for  any  module  M,  them 
exists  a  unique  basis  u>i,  ...  ,  ujn  such  that  if  we  write 


w, 


=  \ 


where  d  is  the  denominator  of  M  with  respect  to  R,  then  the  n  x  n  matrix 
W  =  (wij)  satisfies  the  following  conditions: 

(1)  For  all  i  and  j  the  witj  are  integers. 

(2)  W  is  an  upper  triangular  matrix,  i.e.  Wij  =  0  if  i>  j. 

(3)  For  every  i,  we  have  Wij  >  0. 

(4)  For  every  j  >  i  we  have  0  <  Wij  <  w^. 


The  corresponding  basis  (o>i)i<i<n  will  be  called  the  HNF-basis  of  M  with 
respect  to  R,  and  the  pair  ( W,  d)  will  be  called  the  HNF  of  M  (with  respect 
to  R).  If  ai  —  0t_1,  we  will  call  W  (or  (W,d))  the  HNF  with  respect  to  6. 

We  have  already  seen  in  section  2.4.3  how  to  test  equality  and  inclusion 
of  modules,  how  to  compute  the  sum  of  two  modules  and  the  product  of  a 
module  by  a  constant.  In  the  context  of  number  fields,  we  can  also  compute 
the  product  of  two  modules.  This  will  be  used  mainly  for  ideals. 

Recall  that 


MM'  =  mjm'j,mj  €  M,  mfj  e  M'}. 
j 

It  is  clear  that  MM'  is  again  a  module.  To  obtain  its  HNF,  we  proceed  as 
follows:  Let  u>i,  ...  ,  ton  be  the  basis  of  M  obtained  by  considering  the  columns 
of  the  HNF  of  M  as  the  coefficients  of  in  the  standard  representation,  and 
similarly  for  M'.  Then  the  n2  elements  uuv'j  form  a  generating  set  of  MM1. 
Hence,  if  we  find  the  HNF  of  the  n  x  n z  matrix  formed  by  their  coefficients  in 
the  standard  representation,  we  will  have  obtained  the  HNF  of  MM'. 

Note  however  that  this  is  quite  costly,  since  n2  can  be  pretty  large.  Another 
method  might  be  as  follows.  In  the  case  where  M  and  M’  are  ideals  (of  Tjk 
say),  then  M  and  M'  have  a  Z/f -generating  set  formed  by  two  elements.  In 
fact,  one  of  these  two  elements  can  even  be  chosen  in  Z  if  desired.  Hence  it  is 
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clear  that  if  w\,  . . .  ,  u>n  is  a  Z-basis  of  M  and  a,  (3  a  hx -generating  set  of  M', 
then  au) i,  . . .  ,  au>n,  fiwi,  . . .  ,  (3u >n  will  be  a  Z-generating  set  of  MM'  (note 
that  M  must  also  be  an  ideal  for  this  to  be  true).  Hence  we  can  obtain  the 
HNF  of  MM'  more  simply  by  finding  the  HNF  of  the  n  x  2n  matrix  formed 
by  the  coefficients  of  the  above  generating  set  in  the  standard  representation. 

We  end  this  section  by  the  following  proposition,  whose  proof  is  easy  and 
left  to  the  reader  (see  Exercise  18  of  Chapter  2). 

Proposition  4.7.4.  Let  M  be  a  module  with  denominator  1  with  respect  to 
a  given  R  (i.e.  M  C  R),  and  W  =  ( Wij )  its  HNF  with  respect  to  a  basis  ai, 
. . .  ,  an  ofR.  Then  the  product  of  the  w^i  (i.e.  the  determinant  ofW )  is  equal 
to  the  index  [R  :  M] . 

This  will  be  used,  for  example,  when  R  =  Z[0]  or  R  =  Z#. 


4.7.2  Representation  of  Ideals 

The  Hermite  normal  form  of  an  ideal  with  respect  to  6  has  a  special  form,  as 
is  shown  by  the  following  theorem: 

Theorem  4.7.5.  Let  M  be  a  Z \9\-module,  let  ( W,d )  be  its  HNF  with  respect 
to  the  algebraic  integer  6,  where  d  is  the  denominator  and  W  =  (Wij)  is  an 
integral  matrix  in  upper  triangular  HNF.  Then  for  every  j,  Wjj  divides  all  the 
elements  of  the  j  x  j  matrix  formed  by  the  first  j  rows  and  columns.  In  other 
words,  the  HNF  basis  ui\,  ...,  u)n  of  a  Z[9] -module  has  the  form 


Uj  =  1  +  hi<ie%  J’ 

where  the  Zj  are  positive  integers  such  that  Zj  |  z\  for  i  <  j,  and  the  hij  satisfy 
0  <  hij  <  Zi/zj  for  i  <  j.  Furthermore,  z\  is  the  smallest  positive  element  of 
dMnZ. 

Proof.  Without  loss  of  generality,  we  may  assume  d  =  1.  We  prove  the  theorem 
by  induction  on  j.  It  is  trivially  true  for  j  =  1.  Assume  j  >  1  and  that  it  is 
true  for  j  —  1.  Consider  the  ( j  —  l)th  basis  element  u>j~i  of  M.  We  have 

Wj-i  = 

1  <i<j 

hence  =  Wj-ij-iO*-1  +  Yli<i<j-i  Since  M  is  a  Z[0]-module, 

this  must  be  again  an  element  of  M,  hence  it  has  the  form  Ouj-i  = 
Si <i<naiui  whh  integers  a*.  Now  since  we  have  a  triangular  basis,  iden¬ 
tification  of  coefficients  (from  9n~l  downwards)  shows  that  a*  =  0  for  i  >  j 
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and  that  o,jWjtj  =  wj- ij-i-  This  already  shows  that  Wjj  |  Wj- ij-i-  But  by 
induction,  we  know  that  Wj- i,j-i  divides  when  i'  and  j'  are  less  than 
or  equal  to  j  —  1.  It  follows  that,  modulo  Wj-ij-\Z[9]  we  have 


0  =  ObJj- 1  =  CLjUj  = 


W3-l,3~l 


W3,j 


X  w^0i 

1  <i<j 


and  this  means  that  for  every  i  <  j  we  have 


W3-h3-l 


W 


3,3 


Wij  =  0  (mod  Wj- lj-i), 


which  is  equivalent  to  Wjj  |  for  i  <  j,  thus  proving  the  theorem  by 
induction.  □ 

Note  that  the  converse  of  this  theorem  is  false  (see  Exercise  16). 

Theorem  4.7.5  will  be  mainly  used  in  two  cases.  First  when  M  is  an  ideal 
of  7Lk-  The  second  is  when  M  is  an  order  containing  9.  In  that  case  one  can 
say  slightly  more: 

Corollary  4.7.6.  Let  R  be  an  order  in  K  containing  9  (hence  containing 
Z [9]).  Then  the  HNF  basis  uq,  ...  ,  ujn  of  R  with  respect  to  9  has  the  form 

-;=i-(^i+  e  a**-1). 

3  \  1<*<J  / 

where  the  dj  are  positive  integers  such  that  di  \  dj  for  i<  j,  d\  =  1,  and  the 
hitj  satisfy  0<  hij  <dj/di  for  i<j.  In  other  words,  with  the  notations  of 
Theorem  we  have  Zj\d  for  all  j. 

The  proof  is  clear  once  one  notices  that  the  smallest  positive  integer  be¬ 
longing  to  an  order  is  1,  hence  by  Theorem  4.7.5  that  z\  =  d.  □ 

If  we  assume  that  R  =  7Lk  Is  given  by  an  integral  basis  ai, . . . ,  an,  then 
the  HNF  matrix  of  an  ideal  I  with  respect  to  this  basis  does  not  usually  satisfy 
the  conditions  of  Theorem  4.7.5.  We  can  always  assume  that  we  have  chosen 
a!i=l,  and  in  that  case  it  is  easy  to  show  in  a  similar  manner  as  above  that 
wi,!  is  divisible  by  w^i  for  all  i,  and  that  if  Witi  =  witi,  then  Wjti  =  0  for 
j  ^  i.  This  is  left  as  an  exercise  for  the  reader  (see  Exercise  17). 

Hence,  depending  on  the  context,  we  will  represent  an  ideal  of  Z k  by  its 
Hermite  normal  form  with  respect  to  a  fixed  integral  basis  of  Z k,  or  by  its 
HNF  with  respect  to  9  (i.e.  corresponding  to  the  standard  representations  of 
the  basis  elements).  Please  note  once  again  that  the  special  form  of  the  HNF 
described  in  Theorem  4.7.5  is  valid  only  in  this  last  case. 
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Whichever  representation  is  chosen,  we  have  seen  in  Sections  2.4.3  and 
4.7.1  how  to  compute  sums  and  products  of  ideals,  to  test  equality  and  inclu¬ 
sion  (i.e.  divisibility).  Finally,  as  has  already  been  mentioned  several  times, 
the  norm  is  the  absolute  value  of  the  determinant  of  the  matrix,  and  in  the 
HNF  case  this  is  simply  the  product  of  the  diagonal  elements. 

Note  that  to  test  whether  an  element  of  K  is  in  a  given  ideal  is  a  spe¬ 
cial  case  of  the  inclusion  test,  since  x  £  I  <=>  xR  C  I.  Here  however  it 
is  simpler  (although  not  so  much  more  efficient)  to  solve  a  (triangular)  sys¬ 
tem  of  linear  equations:  if  (W,  d)  is  the  HNF  of  I  with  respect  to  0,  then  if 
x  =  (]Ci <i<n  xi^t~1)/e  is  the  standard  representation  of  x ,  we  must  solve  the 

equation  WA  —  where  X  is  the  column  vector  of  the  Xi ,  and  A  is  the 
unknown  column  vector.  Since  W  is  triangular,  this  is  especially  simple,  and 
x  £  I  if  and  only  if  A  has  integral  coefficients. 

To  this  point,  we  have  considered  ideals  mainly  as  Z-modules.  There  is  a 
completely  different  way  to  represent  them  based  on  the  following  proposition. 

Proposition  4.7.7.  Let  I  be  an  integral  ideal  ofZx. 

(1)  For  any  non-zero  element  a  £  I  there  exists  an  element  ft  £  I  such  that 
I  =  aZK  +  (3Zk  • 

(2)  There  exists  a  non-zero  element  in  JnZ.  If  we  denote  by  C(I)  the  smallest 
positive  element  of  I  flZ,  then  £(I)  is  a  divisor  of  Af  (I)  =  [Z k  '■  I\-  In 
particular,  there  exists  (3  £  I  such  that  I  =  £{I)Zk  +  (3%k  • 

(3)  If  a  and  (3  are  in  K,  then  I  =  ocZk  +  (3Zk  if  and  only  if  for  every  prime 
ideal  p  we  have  min(vp(a),  Vp(@))  =  Vp(I)  where  v9  denotes  the  p-adic 
valuation  at  the  prime  ideal  p. 

To  prove  this  proposition,  we  first  prove  a  special  case  of  the  so-called 
approximation  theorem  valid  in  any  Dedekind  domain. 

Proposition  4.7.8.  Let  S  be  a  finite  set  of  prime  ideals  ofZ k  and  (e*)  a  set 
of  non-negative  integers  indexed  by  S.  There  exists  a  (3  £  Z k  such  that  for 
each  pi  £  S  we  have 

vPi{(3)  =  ei. 

( Note  that  there  may  exist  prime  ideals  q  not  belonging  to  S  such  that  Vq((3)  > 
0.) 

Remark.  More  generally,  S  can  be  taken  to  be  a  set  of  places  of  K ,  and  in 
particular  can  contain  Archimedean  valuations. 

Proof  Let  r  =  |5|, 

/=npr\ 

i= 1 


and  for  each  i,  set 
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which  is  still  an  integral  ideal.  It  is  clear  that  di+c^H - l-ar  =  Zk  (otherwise 

this  sum  would  be  divisible  by  one  of  the  pj,  which  is  clearly  impossible). 
Hence,  let  Ui  €  a*  such  that  u\  +  U2  +  •  •  •  +  ur  =  1.  Furthermore,  for  each  i 
choose  Pi  €  p^  \  P?i+1  which  is  possible  since  pi  is  invertible.  Then  I  claim 
that 

r 

z=i 

has  the  desired  property.  Indeed,  since  pi  |  ct,  for  i^j,  it  is  easy  to  check 
from  the  definition  of  the  a*  that 

vPiiP)  =  VpiiPiUi)  =  ei 

since  uPi(ui)  =  0  and  Vpi{Pi)  =  ei.  Note  that  this  is  simply  the  proof  of  the 
Chinese  remainder  theorem  for  ideals.  □ 

Proof  of  Proposition  ^.7.7.  (1)  Let  olI>k  —  111=1  Pi*  be  the  prime  ideal  de¬ 
composition  of  the  principal  ideal  generated  by  a.  Since  a  €  I,  we  also  have 
I  =  Ili=i  P?  f°r  exponents  ei  (which  may  be  equal  to  zero)  such  that  ei  <  ai. 
According  to  Proposition  4.7.8  that  we  have  just  proved,  there  exists  a  p  such 
that  vPi  (P)  =  6i  for  i  <  r.  This  implies  in  particular  that  I  \  P,  i.e.  that  P  €  I, 
and  furthermore  if  we  set  I'  =  aZ k  +  P%k  we  have  for  i  <  r 

vPi(I')  =  min(vPi  (a),  vPi  (P))  =  ef 

and  if  q  is  a  prime  ideal  which  does  not  divide  a,  vq(/')  =  0,  from  which  it 
follows  that  I'  =  Ili=i  PV  =  thus  proving  (1). 

For  (2),  we  note  that  since  Af{I)  =  \Zk  ■  -J]>  any  element  of  the 
Abelian  quotient  group  Z k  / /  is  annihilated  by  N{I) ,  in  other  words  we  have 
M{I)Zk  C  I.  This  implies  A f  (I)  €  /  Pi  Z,  and  since  any  subgroup  of  Z  is  of 
the  form  kZ,  (2)  follows. 

Finally,  for  (3)  recall  that  the  sum  of  ideals  correspond  to  taking  a  GCD, 
and  that  the  GCD  is  computed  by  taking  the  minimum  of  the  p-adic  valua¬ 
tions.  □ 

Hence  every  ideal  has  a  two  element  representation  {ot,0)  where  I  = 
olZk  +  P%k,  and  we  can  take  for  example  a  =  £(I).  This  two  element  repre¬ 
sentation  is  however  difficult  to  handle:  for  the  sum  or  product  of  two  ideals, 
we  get  four  generators  over  Z k,  and  we  must  get  back  to  two.  More  gener¬ 
ally,  it  is  not  very  easy  to  go  from  the  HNF  (or  more  generally  any  Z-basis 
n-element  representation)  to  a  two  element  representation. 

There  are  however  two  cases  in  which  that  representation  is  useful.  The 
first  is  in  the  case  of  quadratic  fields  (n  =  2),  and  we  will  see  this  in  Chapter 
5.  The  other,  which  has  already  been  mentioned  in  Section  4.7.1,  is  as  follows: 
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we  will  see  in  Section  4.9  that  prime  ideals  do  not  come  out  of  the  blue,  and 
that  in  algorithmic  practice  most  prime  ideals  p  are  obtained  as  a  two  element 
representation  (p,x)  where  p  is  a  prime  number  and  x  is  an  element  of  p.  To 
go  from  that  two  element  representation  to  the  HNF  form  is  easy,  but  is  not 
desirable  in  general.  Indeed,  what  one  usually  does  with  a  prime  ideal  is  to 
multiply  it  with  some  other  ideal  I.  If  oq , . . .  ,  un  is  a  Z-basis  of  I  (for  example 
the  basis  obtained  from  the  HNF  form  of  I  on  the  given  integral  basis  of  Z#), 
then  we  can  build  the  HNF  of  the  product  pi  by  computing  the  nx2n  matrix 
of  the  generating  set  puq,  . . .  pu)n,  xu\,  . . .  ,  xwn  expressed  on  the  integral 
basis,  and  then  do  HNF  reduction.  As  has  already  been  mentioned  in  Section 
4.7.1,  this  is  more  efficient  than  doing  a  n  x  n2  HNF  reduction  if  we  used 
both  HNF  representations.  Note  that  if  one  really  wants  the  HNF  of  p  itself, 
it  suffices  to  apply  the  preceding  algorithm  to  I  =  Z&- 

Note  that  if  (W,  d )  (with  W  =  (wit j))  is  the  HNF  of  I  with  respect  to  6,  and 
if  /  =  [ZK  ■  Z[0]],  then  £(I)  =  u/M  and  dnN(I)  =  [ZK  ■  dl\  =  fl\i<i<nwhi 

SO 

N{I)  —  d~nf  n  »i,i- 

l<i<n 

Now  it  often  happens  that  prime  ideals  are  not  given  by  a  two  element 
representation  but  by  a  larger  number  of  generating  elements.  If  this  ideal 
is  going  to  be  used  repeatedly,  it  is  worthwhile  to  find  a  two  element  repre¬ 
sentation  for  it.  As  we  have  already  mentioned  this  is  not  an  easy  problem 
in  general,  but  in  the  special  case  of  prime  ideals  we  can  give  a  reasonably 
efficient  algorithm.  This  is  based  on  the  following  lemma. 

Lemma  4.7.9.  Let  p  be  a  prime  ideal  above  p  of  norm  pf  (f  is  called  the 
residual  degree  of  p  as  we  will  see  in  the  next  section),  and  let  a  €  p.  Then  we 
have  p  =  ( p,a )  =  pZk+ocZk  if  and  only  ifvp(J\f(a))  —  f  orvp(M(a+p))  =  f, 
where  vp  denotes  the  ordinary  p-adic  valuation. 

Proof  This  proof  assumes  some  results  and  definitions  introduced  in  the  next 
section.  Assume  first  that  vp(Af(a))  =  f.  Then,  since  a  €  p  and  Af(p)  —  p? , 
for  every  prime  q  above  p  and  different  from  p  we  must  have  vq(a)  =  0 
otherwise  q  would  contribute  more  powers  of  p  to  J\f(a) .  In  addition  and  for 
the  same  reason  we  must  have  ^p(a)  =  1.  It  follows  that  for  any  prime  ideal 
q,  min(uq(p),  vq(a))  =  t'q(p)  and  so  p  =  (p,  a)  by  Proposition  4.7.7  (3). 

If  vp(J\f(a  +p))  =  f  we  deduce  from  this  that  p  =  pZ#  +  (a  +p)Zk,  but 
this  is  clearly  also  equal  to  pZ#  -1-  olZk- 

Conversely,  let  p  =  pZK  +  cxZk-  Then  for  every  prime  ideal  q  above  p 
and  different  from  p  we  have  vq(a)  =  0,  while  for  p  we  can  only  say  that 
min(up(p),Up(o!))  =  1. 

Assume  first  that  vp(a)  =  1.  Then  clearly  vp(Af(a))  =  vp(J\f(p))  =  f  as 
desired.  Otherwise  we  have  up(a)  >  1,  and  hence  vp(p)  =  1.  But  then  we 
will  have  vp(a  +  p)  =  1  (otherwise  vp(p)  =  vp((p  +  a)  —  a)  >  1),  and  still 
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vq(a  +  p)  =0  for  all  other  primes  q  above  p,  and  so  vp(J\f(a  +  p ))  =f  as 
before,  thus  proving  the  lemma.  □ 

Note  that  the  condition  vp(J\f(a))  =  /,  while  sufficient,  is  not  a  necessary 
condition  (see  Exercise  20). 

Note  also  that  if  we  write  a  =  YLi<i<k  where  the  7 *  is  some  generating 

set  of  p,  we  may  always  assume  that  JA*|  <  p/2  since  p  €  p.  In  addition,  if  we 
choose  71  =  p,  we  may  assume  that  Ai  =  0. 

This  suggests  the  following  algorithm,  which  is  simple  minded  but  works 
quite  well. 

Algorithm  4.7.10  (Two-Element  Representation  of  a  Prime  Ideal).  Given 
a  prime  ideal  p  above  p  by  a  system  of  Z-generators  7*  for  (1  <i<k ),  this 
algorithm  computes  a  two-element  representation  (p,  a)  for  p. 

We  assume  that  one  knows  the  norm  pf  of  p  (this  is  always  the  case  in 
practice,  and  in  any  case  it  can  be  obtained  by  computing  the  HNF  of  p  from  the 
given  generators),  and  that  71  =  p  (if  this  is  not  the  case  just  add  it  to  the  list 
of  generators). 

1.  [Initialize]  Set  R<—  1. 

2.  [Set  coefficients]  For  2  <  i  <  k  set  A*  *—  R. 

3.  [Compute  a  and  check]  Let  a  <—  n  N{a)/pf ,  where  the 

norm  is  computed,  for  example,  using  the  sub-resultant  algorithm  (see  Section 
4.3).  If  p\n,  then  output  (p,  a)  and  terminate  the  algorithm.  Otherwise,  set 
n<—  M{a  +  p)/pA  If  p\n  then  output  (p, a)  and  terminate  the  algorithm. 

4.  [Decrease  coefficients]  Let  j  be  the  largest  i  <  k  such  that  Ai  ^  —R  (we  will 
always  keep  A2  >  0  so  j  will  exist).  Set  Aj<—  Xj  —1  and  for  j  +  1  <  i  <  k 
set  A*  <—  R. 

5.  [Search  for  first  non-zero]  Let  j  be  the  smallest  i  <  k  such  that  A i  ^  0.  If  no 
such  j  exists  (i.e.  if  all  the  Ai  are  equal  to  0)  set  R  <—  R  + 1  and  go  to  step 
2.  Otherwise  go  to  step  3. 


He  marks. 

(1)  Steps  4  and  5  of  this  algorithm  represent  a  standard  backtracking  proce¬ 
dure.  What  we  do  essentially  is  to  search  for  a  =  X^cicfc  where  the 
Ai  are  integers  between  —R  and  R.  To  avoid  searching  both  for  a  and  — a , 
we  add  the  condition  that  the  first  non-zero  A  should  be  positive.  If  the 
search  fails,  we  start  it  again  with  a  larger  value  of  R.  Of  course,  some 
time  will  be  wasted  since  many  old  values  of  o:  will  be  recomputed,  but  in 
practice  this  has  no  real  importance,  and  in  fact  R  =  1  or  R  =  2  is  usually 
sufficient.  The  remark  made  after  Lemma  4.7.9  shows  that  the  algorithm 
will  stop  with  R  <  p/2. 
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(2)  It  is  often  the  case  that  one  of  the  7*  for  2  <  i  <  k  will  satisfy  one  of 
the  conditions  of  step  3.  Thus  it  is  useful  to  test  this  before  starting  the 
backtracking  procedure. 

We  refer  to  [Poh-Zas]  for  extensive  information  on  the  use  of  two-element 
representations. 


4.8  Decomposition  of  Prime  Numbers  I 

For  simplicity,  we  continue  to  work  with  a  number  field  K  considered  as  an 
extension  of  <Q>,  and  not  considered  as  a  relative  extension.  Many  of  the  the¬ 
orems  or  algorithms  which  are  explained  in  that  context  are  still  true  in  the 
more  general  case,  but  some  are  not.  (For  example,  we  have  already  seen  this 
for  the  existence  of  integral  bases.)  Almost  always,  these  generalizations  fail 
because  the  ring  of  integers  of  the  base  field  is  not  a  PID  (or  equivalently  a 
UFD). 

4.8.1  Definitions  and  Main  Results 

The  main  results  concerning  the  decomposition  of  primes  are  as  follows.  We 
always  implicitly  assume  that  the  prime  ideals  are  non-zero. 

Proposition  4.8.1. 

(1)  If  p  is  a  prime  ideal  of  K,  then  p  D  Z  =  pZ  for  some  prime  number  p. 

(2)  If  p  is  a  prime  number  and  p  is  a  prime  ideal  of  K,  the  following  conditions 
are  equivalent: 

(i)  p  D  pZ. 

(ii)  p  n  Z  =  pZ. 

(iii)  p  D  Q  =  pZ. 

(3)  For  any  prime  number  p  we  have  pZx  n  Z  =  pZ. 


More  generally,  we  have  aZx  fl  Z  =  aZ  for  any  integer  a,  prime  or  not. 

Definition  4.8.2.  Ifp  andp  satisfy  one  of  the  equivalent  conditions  of  Propo¬ 
sition  4-8.1  (2),  we  say  that  p  is  a  prime  ideal  above  p,  and  thatp  is  below  p. 


Theorem  4.8.3.  Let  p  be  a  prime  number.  There  exist  positive  integers  e* 
such  that 

9 

p%k = n^» 

1=1 

where  the  pi  are  all  the  prime  ideals  above  p. 
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Definition  4.8.4.  The  integer  e*  is  called  the  ramification  index  of  p  at  pi 
and  is  denoted  e(p i/p).  The  degree  /*  of  the  field  extension  defined  by 

fi  =  [%k /pi  :  Z/pZ] 

is  called  the  residual  degree  (or  simply  the  degree)  ofp  and  is  denoted  f(pi/p). 

Note  that  both  Z k/Pi  and  Z/pZ  are  finite  fields,  and  fi  is  the  dimension 
of  the  first  considered  as  a  vector  space  over  the  second. 

Theorem  4.8.5.  We  have  the  following  formulas: 

■A/*(Pi)  =  pu, 


and 


9 

^2  eifi  =  n  =  deg(K) . 

i= 1 


In  the  case  when  K/Q  is  a  Galois  extension,  the  result  is  more  specific: 

Theorem  4.8.6.  Assume  that  K/Q  is  a  Galois  extension  (i.e.  that  for  all 
the  embeddings  a*  of  K  in  C  we  have  Oi(K)  =  K).  Then,  for  any  p,  the 
ramification  indices  e*  are  equal  ( say  to  e),  the  residual  degrees  fi  are  equal 
as  well  ( say  to  f),  hence  efg  =  n.  In  addition,  the  Galois  group  operates 
transitively  on  the  prime  ideals  above  p:  if  pi  and  pj  are  two  ideals  above  p, 
there  exists  a  in  the  Galois  group  such  that  cr(pi)  =  pj. 

Definition  4.8.7.  Let  pZ^  =  nf=i  PT  be  the  decomposition  of  a  prime  p. 
We  will  say  that  p  is  inert  if  g  =  1  and  e\  =  1,  in  other  words  if  pZ#  =  p 
(hence  fi  =  n).  We  will  say  that  p  splits  completely  if  g  —  n  (hence  for  all 
i,  e*  =  fi  —  1 ).  Finally,  we  say  that  p  is  ramified  if  there  is  an  ei  which  is 
greater  than  or  equal  to  2  (in  other  words  ifp%K  is  not  squarefree),  otherwise 
we  say  that  p  is  unramified.  Those  prime  ideals  pi  such  that  6i  >  1  are  called 
the  ramified  prime  ideals  of  Z/c . 

Note  that  there  are  intermediate  cases  which  do  not  deserve  a  special 
name.  The  fundamental  theorem  about  ramification  is  as  follows: 

Theorem  4.8.8.  Letp  be  a  prime  number.  Thenp  is  ramified  in  K  if  and  only 
if  P  divides  the  discriminant  d(K )  of  K  (recall  that  this  is  the  discriminant 
of  any  integral  basis  of  Z k )■  In  particular,  there  are  only  a  finite  number  of 
ramified  primes  (exactly  u(d(K)),  where  u>(x)  is  the  number  of  distinct  prime 
divisors  of  an  integer  x ). 
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We  can  also  define  the  decomposition  of  the  “infinite  prime”  of  Q  in  a 
similar  manner,  since  we  are  extending  valuations.  The  ordinary  primes  corre¬ 
spond  to  the  non- Archimedean  valuations  and  the  real  or  complex  embeddings 
correspond  to  the  Archimedean  ones.  Since  we  are  over  Q,  there  is  only  the 
real  embedding  of  Q  to  lift,  and  (as  a  special  case  of  a  general  definition), 
when  the  signature  of  K  is  (ri,r2),  we  will  say  that  the  infinite  prime  of  Q 
lifts  to  a  product  of  r\  real  places  of  K  times  r2  non-real  places  to  the  power 
2.  Hence,  g  =  r\  4-  r2,  e*  =  1  for  i  <  rq,  e*  =  2  for  i  >  r\,  and  fi  =  l  for  all  i. 
We  also  have  the  following  results: 

Proposition  4.8.9. 

(1)  (Hermite).  The  set  of  isomorphism  classes  of  number  fields  of  given  dis¬ 
criminant  is  finite. 

(2)  (Minkowski).  If  K  is  a  number  field  different  from  Q,  then  \d(K)\  >1.  In 
particular,  there  is  at  least  one  ramified  prime  in  K. 


Proposition  4.8.10  (Stickelberger).  If  p  is  an  unramified  prime  in  K  with 
pZK  =  n?=i  Pi,  we  have 


(_l)n-3 


including  the  case  p  =  2  where  (^|^)  is  to  be  interpreted  as  the  Jacobi- 
Kronecker  symbol  (see  Definition  1.4-8). 


This  shows  that  the  parity  of  the  number  of  primes  above  p  (i.e.  the 
“Mobius”  function  of  p)  can  easily  be  computed. 

Note  that  this  proposition  is  also  true  for  the  infinite  prime  as  given  above, 
if  we  interpret  the  Legendre  symbol  as  the  sign  of  d(K ): 


Proposition  4.8.11.  If  K  is  a  number  field  with  signature  (ri,r2),  then  the 
sign  of  the  discriminant  d(K)  is  equal  to  (— l)1"2 . 

Proof.  Since,  up  to  a  square,  the  discriminant  d(K)  is  equal  to  riicjC^i —  @j)2 
(with  evident  notations),  then  a  case  by  case  examination  shows  that  when 
conjugate  terms  are  paired,  ail  the  factors  become  positive  except  for 

n  (0i-<w2, 

r  i  <i<ri+r2 

whose  sign  is  (—  l)r2  since  0*  —  0i+r2  is  pure  imaginary.  □ 

Corollary  4.8.12.  The  decomposition  type  of  a  prime  number  p  in  a  quadratic 
field  K  of  discriminant  D  is  the  following:  if  (^)  =  —  1  then  p  is  inert.  If 
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(^)  =  0  then  p  is  ramified  (i.e.  pZx  =  p2).  Finally,  if  (y)  =  +1,  then  p  splits 
(completely),  i.e.  pZ^  =  P1P2* 


4.8.2  A  Simple  Algorithm  for  the  Decomposition  of  Primes 

We  now  consider  a  more  difficult  algorithmic  problem,  that  of  determining 
the  decomposition  of  prime  numbers  in  a  number  field.  The  basic  theorem  on 
the  subject,  which  unfortunately  is  not  completely  sufficient,  is  as  follows. 

Theorem  4.8.13.  Let  K  =  Q(0)  be  a  number  field,  where  6  is  an  algebraic 
integer,  whose  (monic)  minimal  polynomial  is  denoted  T(X).  Let  f  be  the 
index  of  6,  i.e.  f  =  [Z k  :  Z[0]].  Then  for  any  prime  p  not  dividing  f  one  can 
obtain  the  prime  decomposition  of  pZ^  as  follows.  Let 

T(X)  =  f[Ti(X)e‘  (mod  p) 

i= 1 

be  the  decomposition  ofT  into  irreducible  factors  in  FP[X],  where  the  Ti  are 
taken  to  be  monic.  Then 

PZK  =  f[pV, 

i=l 


where 

Pi  =  (P>'Ti(6))  =pZk  4 -'1\{&)Zk- 
Furthermore,  the  residual  index  is  equal  to  the  degree  of  Ti . 

Since  we  have  discussed  at  length  in  Chapter  3  algorithmic  methods  for 
finding  the  decomposition  of  polynomials  in  FP[X],  we  see  that  this  theorem 
gives  us  an  excellent  algorithmic  method  to  find  the  decomposition  of  pZk 
when  p  does  not  divide  the  index  /.  The  hard  problems  start  when  p  \  f.  Of 
course,  one  then  could  try  and  change  6  to  get  a  different  index,  if  possible 
prime  to  p,  but  even  this  is  doomed.  There  can  exist  primes,  called  inessential 
discriminantal  divisors  which  divide  any  index,  no  matter  which  6  is  chosen. 
It  can  be  shown  that  such  exceptional  primes  are  smaller  than  or  equal  to 
n  —  1,  so  very  few  primes  if  any  are  exceptional.  But  the  problem  still  exists: 
for  example  it  is  not  difficult  to  give  examples  of  fields  of  degree  3  where  2  is 
exceptional,  see  Exercise  10  of  Chapter  6. 

The  case  when  p  divides  the  index  is  much  harder,  and  will  be  studied 
along  with  an  algorithm  to  find  integral  bases  in  Chapter  6. 

Proof  of  Theorem  4-8.13.  Set  /<  =  deg(Ti)  and  pi  =  pZk  +  Ti{6)ZK ■  Let  us 
assume  that  we  have  proved  the  following  lemma: 
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Lemma  4.8.14. 


(1)  For  all  i,  either  pi  =  Zk,  or  Z^/pi  is  a>  field  of  cardinality  p^ . 

(2)  If  i  ^  j  then  pi  +  pj  —  Z k- 


(3)  pZK\pV---P?- 


Then,  after  reordering  the  pi,  we  can  assume  that  pi  /  Z k  for  i  <  s  and 
pi  =  Z k  for  s  <  i  <  g  (we  will  in  fact  see  that  s  =  g).  Then  by  Lemma  4.8.14 
(1),  the  ideals  pi  are  prime  for  i  <  s,  and  since  by  definition  they  contain  pZjc , 
they  are  above  p  (Proposition  4.8.1).  (1)  also  implies  that  the  fi  (for  i  <  s) 
are  the  residual  indices  of  pi.  By  (2)  we  know  that  the  pi  for  i  <  s  are  distinct, 
and  (3)  implies  that  the  decomposition  of  the  ideal  pZ#  is 

S 

pZj{  =  1 1  p?*  where  di  <  ei  for  all  i  <  s . 

i—  1 

Hence,  by  Theorem  4.8.5,  we  have  n  =  d\f\  H - 1-  dsfs.  Since  we  also  have 

deg(T)  =  n  =  e\f\  H - 1-  egfg  and  di  <  6i  for  all  i,  this  implies  that  we  must 

have  s  =  g  and  di  =  ei  for  all  i ,  thus  proving  Theorem  4.8.13.  □ 

Proof  of  Lemma  4-8.14  (1)-  Set  Ki  =  Wp[X]/(Ti).  Since  Ti  is  irreducible,  Ki  is 
a  field.  Furthermore,  the  degree  of  Ki  over  Wp  is  fi,  and  so  the  cardinality  of  Ki 
is  pl{ .  Thus  we  need  to  show  that  either  pi  =  Z#  or  that  Z k  jp%  —  Ki-  Now  it  is 
clear  that  Z [X\/(p,  Ti)  ^  Ki,  hence  (p,  Ti)  is  a  maximal  ideal  of  Z[X\.  But  the 
kernel  of  the  natural  homomorphism  (j)  from  Z[X]  to  Z k /pi  which  sends  X  to 
0  mod  pi  clearly  contains  this  ideal,  hence  is  either  Z[X\  or  ( p,Ti ).  If  we  show 
that  0  is  onto,  this  will  imply  that  pi  =  Z k  or  Zk/P i  —  Z[X]/(p,Ti)  a  Ki, 
proving  (1). 

Now  to  say  that  <j)  is  surjective  means  that  Z k=  T\d]  +  pi.  By  definition, 
pZjfC  pi.  Hence 

[ZK  :  Z[0]  +  Pi]  |  [ZK  :  Z[Q\  +  pZK]  =  gcd([ZK  :  Z[d)\ ,  \ZK  :  pZK\) . 

Since  we  have  assumed  that  p  does  not  divide  the  index,  and  since  [Z#-  : 
pZk]  =  pn,  this  shows  that  [Z k  •  ^\fi\  +  pi]  =1,  hence  the  surjectivity  of  <j>. 
Note  that  this  is  the  only  part  of  the  whole  proof  of  Theorem  4.8.13  which 
uses  that  p  does  not  divide  the  index  of  6. 

Proof  of  Lemma  4-8.14  (2).  Since  Ti  and  Tj  are  coprime  in  FP[X],  there  exist 
polynomials  U  and  V  such  that  UTi  +  VTj  —  1  e  pZ[X],  It  follows  that 
U(9)Ti(6)  +V(6)Tj(9)  =  1  +  pW(9)  for  some  polynomial  W  G  Z[X],  and  this 
immediately  implies  that  1  €  pi  +  pj,  i.e.  that  pi  +  pj  =  Z  K- 

Proof  of  Lemma  4-8.14  (3).  Set  7i  =  Ti{9),  so  pi  =  (p,7i).  By  distributivity, 
it  is  clear  that 
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Pi1  ■■■Peg9  C  "'ll9)- 

Now  I  claim  that  ( p ,7®*  •  •  •  j^9)  =  pZK,  from  which  (3)  follows.  Indeed,  D  is 
trivial.  Conversely  we  have  by  definition  T®1  •  •  •  Tg9  —  T  €  pZ[X\  hence  taking 
X  =  6  we  obtain 

7i*  '  ‘ '  lg9  epZ[6]  CpZK, 


proving  our  claim  and  the  lemma. 


□ 


Note  that  in  the  general  case  where  p  \  f  which  will  be  studied  in  Chapter 
6,  the  prime  ideals  pi  above  p  are  still  of  the  form  pZ k  +  Ti(6)Zx,  but  now 
Ti  €  Q[X]  and  does  not  always  correspond  to  a  factor  of  T  modulo  p. 


4.8.3  Computing  Valuations 

Once  prime  ideals  are  known  in  a  number  field  K,  we  will  often  need  to 
compute  the  p-adic  valuation  v  of  an  ideal  I  given  in  its  Hermite  normal  form, 
where  p  is  a  prime  ideal  above  p.  We  may,  of  course,  assume  that  I  is  an 
integral  ideal.  Then  an  obvious  necessary  condition  for  v  ^  0  is  that  p  |  Af(J). 
Clearly  this  condition  is  not  sufficient,  since  all  primes  above  p  must  “share” 
in  some  way  the  exponent  of  p  in  A/*(/). 

We  assume  that  our  prime  ideal  is  given  as  p  =  pZk+olZk  for  a  certain  a  € 
Z k-  We  will  now  describe  an  algorithm  to  compute  vp(I),  which  was  explained 
to  me  by  H.  W.  Lenstra,  but  which  was  certainly  known  to  Dedekind.  It  is 
based  on  the  following  proposition. 

Proposition  4.8.15.  Let  R  be  an  order  in  K  and  p  a  prime  ideal  of  R.  Then 
there  exists  a  G  K\R  such  that  ap  C  R.  Furthermore,  p  is  invertible  in  R  if 
and  only  if  ap  p,  and  in  that  case  we  have  p-1  =  R  +  aR. 

Proof.  Let  re  G  p  be  a  non-zero  element  of  p,  and  consider  the  non-zero  ideal 
xR.  By  Proposition  4.6.13,  there  exist  non-zero  prime  ideals  q *  such  that 
xR  D  Y\i£E^  f°r  some  finite  set  E.  Assume  E  is  chosen  to  be  minimal 
in  the  sense  that  no  proper  subset  of  E  can  have  the  same  property.  Since 
I!  C  xR  C  p,  by  Proposition  4.6.12  we  must  have  qj  C  p  for  some  j  €  E , 
hence  q j  =  p  since  both  are  maximal  ideals.  Set 

1=  n 

i€E,i^j 

Then  pq  c  xR  and  q  <jL  xR  by  the  minimality  of  E.  So  choose  y  €  q  such  that 
y  £  xR.  Since  yp  c  xR,  the  element  a  =  y/x  satisfies  the  conditions  of  the 
proposition. 

Finally,  consider  the  ideal  p  +  ap.  Since  it  sits  between  the  maximal  ideal 
p  and  R ,  it  must  be  equal  to  one  of  the  two.  If  it  is  equal  to  R,  we  cannot 
have  ap  C  p,  and  since  (R  +  aR)p  =R ,  p  is  invertible  and  p-1  =  R  +  aR.  If 
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it  is  equal  to  p,  then  ap  c  p,  and  ( R  +  aR)p  =  Rp.  This  implies  that  p  is  not 
invertible  since  otherwise,  by  simplifying,  we  would  have  R  +  aR  =  R,  hence 
a  G  R.  This  proves  the  proposition.  □ 

Knowing  this  proposition,  it  is  easy  to  obtain  an  algorithm  for  computing 
a  suitable  value  of  a.  Note  that  ap  C  R  hence  ap  G  R,  so  we  write  a  =  (3/p 
with  0  G  R.  The  conditions  to  be  satisfied  for  /?  are  then  (3  G  R  \  pR  and 
(3p  C  pR. 

Let  . . . ,  un  be  a  Z-basis  of  R ,  and  let  71, ... ,  jm  be  generators  of  p 
(for  example  if  p  =  pR  +  aR  we  take  71  =  p  and  72  =  a).  Then,  if  we  write 

P  =  2L  XiUi  , 

1  <i<n 

we  want  to  find  integers  Xi  which  are  not  all  divisible  by  p  such  that  for  all  j 
with  1  <  j  <  m  the  coordinates  of  (X}  £*0^)77  on  the  u)i  are  all  divisible  by  p. 
If  we  set 

l<k<n 

we  obtain  for  all  j  and  k 


^2  aij*xi  ~  0  (mod  P) 

1  <i<n 

which  is  a  system  of  mn  equations  in  n  unknowns  in  Z/pZ  for  which  we  want 
a  non-trivial  solution.  Since  there  are  many  more  equations  than  unknowns 
(if  m  >1),  there  is,  a  priori,  no  reason  for  this  system  to  have  a  non-trivial 
solution.  The  proposition  that  we  have  just  proved  shows  that  it  does,  and 
we  can  find  one  by  standard  Gaussian  elimination  in  Z/pZ  (for  example  using 
Algorithm  2.3.1). 

In  the  frequent  special  case  where  m  =  2,  71  =  p  and  72  =  a  for  some 
a  G  Z k,  the  system  simplifies  considerably.  For  j  =  1  the  equations  are  trivial, 
hence  we  must  simply  solve  the  square  linear  system 

^  di'kXi  =  0  (mod  p) 

l<i<n 


where  Wjcx  =  £i<fc<„  aifkuk. 

From  now  on,  we  assume  that  R  =  ZK  so  that  all  ideals  are  invertible. 
Let  I  be  an  ideal  of  Z#  given  by  its  HNF  (M,  d )  with  respect  to  6,  where  M 
is  an  n  x  n  matrix.  We  want  to  compute  vp(J),  where  p  is  a  prime  ideal  of  Z k 
(hence  invertible).  By  the  method  explained  above,  we  first  compute  a  such 
that  a  G  K  \  Z k  and  ap  C  Z k,  and  as  above  we  set  (3  =  ap  G  Z k-  We  may 
assume  that  I  is  an  integral  ideal  of  Z#-  (If  I  =  V  jd'  with  V  an  integral  ideal 
and  d!  G  Z,  then  clearly  vp(I)  =  vp(I')  —  evp(d'),  where  e  is  the  ramification 
index  of  p.)  Now  we  have  the  following  lemma  which  is  the  raison  d’etre  of  a. 
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Lemma  4.8.16.  With  the  above  notations ,  if  I  is  an  integral  ideal  ofZK, 
then  I  C  p  if  and  only  if  al  C  Zk  •  In  particular,  vp  (I)  is  the  largest  integer  v 
such  that  avI  C  Zk- 

Proof  If  I  C  p,  then  al  c  ap  c  Z k-  Conversely,  assume  that  al  C  Z k,  hence 
apl  C  p.  Since  the  prime  ideal  p  contains  the  product  of  the  integral  ideals 
ap  and  /,  Proposition  4.6.12  shows  that  p  contains  one  of  the  two.  Now  since 
p  is  invertible,  p  cannot  contain  ap  by  the  above  proposition,  hence  p  D  I. 
The  final  claim  about  the  value  of  vp(I)  is  an  immediate  consequence  of  the 
definitions.  □ 

If,  as  above  we  set  a  =  P/p  with  (3  e  Zk  \vZk ,  the  condition  av I  C  Z k  is 
equivalent  to  (3V I  C  pvZk-  Let  (N,d)  be  the  HNF  of  the  maximal  order  Zk- 
By  Corollary  4.7.6,  we  may  assume  that  Nn%n  =  1,  by  choosing  d  =  dn.  Now 
since  I  is  an  integral  ideal,  we  have  dl  C  dZ#,  and  dZx  is  represented  by  an 
integral  matrix,  hence  dl  also,  so  the  HNF  with  respect  to  9  of  any  integral 
ideal  can  be  chosen  of  the  form  ( M,d )  with  the  same  d.  Conversely,  given 
(M,  d)  where  M  is  an  integral  matrix  in  Hermite  normal  form  representing  a 
fractional  ideal  /,  we  can  test  whether  I  is  integral  by  checking  I  +  Zk  =  Zk, 
hence  by  computing  the  HNF  of  a  n  x  2n  matrix  as  explained  in  Section  2.4.3. 
In  our  situation,  a  better  way  is  to  compute  the  HNF  M'  of  I  with  respect 
to  the  HNF  basis  of  Z k  given  by  the  matrix  N  instead  of  with  respect  to  9, 
where  we  allow  M'  to  have  fractional  entries.  We  clearly  have 

M'  =  N~1M, 

except  that  the  non-diagonal  entries  may  have  to  be  reduced,  and  I  is  an 
integral  ideal  if  and  only  if  M'  has  integral  entries. 

Hence,  let  ( Mv,d )  be  the  HNF  of  (3VI  with  respect  to  9,  M'  =  N~lMv 
and  set  cv  =  (M')n,n.  Then  a  necessary  condition  for  f3vI  to  be  contained  in 
PvZk  is  that  pv\cv.  This  condition  is  in  general  not  sufficient,  but  very  often 
it  is.  For  example,  it  is  easy  to  show  (see  Exercise  21)  that  the  condition  is 
sufficient  when  p  does  not  divide  the  index  [Zk  -  Z[0]],  and  in  particular  if 
Z k  =  Z\9\.  In  the  general  case,  we  have  to  check  the  divisibility  of  all  the 
coefficients  of  Mv  by  pv .  This  leads  to  the  following  algorithm. 

Algorithm  4.8.17  (Valuation  at  a  Prime  Ideal).  Let  ( N,d )  be  the  HNF  of 
the  maximal  order  Z k,  let  p  be  a  prime  ideal  of  Z k  above  p  given  by  a  generating 

system  71 . 7m  over  Z k  (for  example  71  =  p,  72  =  cx  for  some  a  €  Zk), 

and  let  I  be  an  integral  ideal  of  Z k  given  by  its  HNF  ( M,d ').  This  algorithm 
computes  the  p-adic  valuation  vp(I)  of  the  ideal  /. 

1.  [Compute  structure  constants]  Let  a >i  be  the  HNF  basis  of  Z k  corresponding 
to  ( N,d ).  Compute  the  integers  a^j^  such  that 

OJi'Yj  =  }  j  aij^kWk 

1  <k<n 
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for  1  <  i  <  n  and  1  <  j  <  m.  Note  that  uji'yj  is  computed  as  a  polynomial  in 
9,  and  since  N  is  an  upper  triangular  matrix  it  is  easy  to  compute  inductively 
the  ctij'k  from  k  =  n  down  to  k  =  1. 

2.  [Compute  ft]  Using  ordinary  Gaussian  elimination  over  Fp  or  Algorithm  2.3.1, 
find  a  non-trivia  I  solution  to  the  system  of  congruences 

5^  ai,j,kXi  =  0  (mod  p). 

1  <i<n 

Then  set  (3  <—  JT  xnJi. 

3.  [Compute  M(I)]  Set  A  <—  d/d!N~lM  which  must  be  a  matrix  with  integral 
entries  (otherwise  I  is  not  an  integral  ideal).  Let  P  be  the  product  of  the  diag¬ 
onal  elements  of  A.  If  p\  P,  output  0  and  terminate  the  algorithm.  Otherwise, 
set  v  <—  0. 

4.  [Multiply]  Set  A  <—  /3A  in  the  following  sense.  Each  column  of  A  corresponds 
to  an  element  of  K  in  the  basis  w*,  and  these  elements  are  multiplied  by  (3 
and  expressed  again  in  the  basis  u)it  using  the  multiplication  table  for  the  u;*. 

5.  [Simple  test]  Using  Algorithm  2.4.8,  replaced  by  its  HNF.  Then,  if  p\An,n, 
output  v  and  terminate  the  algorithm.  Otherwise,  if  p  does  not  divide  the  ind- 
dex  [Zk:  Z[9]]  =  dn/det(N),  set  v  <—  v  +  l,  A<—A/p  (which  will  be  integr¬ 
al)  and  go  to  step  4. 

6.  [Complete  test]  Set  A  *—  A/p.  If  A  is  not  integral,  output  v  and  terminate  the 
algorithm.  Otherwise,  set  v  <—  v  +  1  and  go  to  step  4. 

Note  that  steps  1  and  2  depend  only  on  the  ideal  p,  hence  need  be  done 
only  once  if  many  p-adic  valuations  have  to  be  computed  for  the  same  prime 
ideal  p.  Hence,  a  reasonable  way  to  represent  a  prime  ideal  p  is  as  a  quintuplet 
(p,  a,  e,  /,  (3).  Here  p  is  the  prime  number  over  which  p  lies,  a  e  Z k  is  such 
that  p  =  p%K  +  ocZK,  e  is  the  ramification  index  and  /  the  residual  index  of  p, 
and  /3  is  the  element  of  Z k  computed  by  steps  1  and  2  of  the  above  algorithm, 
given  by  its  coordinates  x*  in  the  basis  w*.  Note  also  that  Proposition  4.8.15 
tells  us  that  pp-1  =  pZk  +  (3Zk  • 


4.8.4  Ideal  Inversion  and  the  Different 

The  preceding  algorithms  will  allow  us  to  give  a  satisfactory  answer  to  a 
problem  which  we  have  not  yet  studied,  that  of  ideal  inversion  in  Z k- 

Let  I  be  an  ideal  of  Z k  (which  we  can  assume  to  be  integral  without 
loss  of  generality)  given  by  a  Z^-generating  system  71,  . . . ,  7m.  We  can  for 
example  take  the  HNF  basis  of  I  in  which  case  m  =  n,  but  often  /  will  be 
given  in  a  simpler  way,  for  example  by  only  2  elements.  We  can  try  to  mimic 
the  first  two  steps  of  Algorithm  4.8.17  which,  as  remarked  above,  amount  to 
computing  the  inverse  of  the  prime  ideal  p. 

Hence,  let  uq, . . ojn  be  an  integral  basis  of  Z k-  Then  by  definition  of  the 
inverse,  x  €  7-1  if  and  only  if  x^fj  €  Z k  for  all  j  <  k.  Fix  a  positive  integer 
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d  belonging  to  I.  Then  dx  €  Z k  so  we  can  write  dx  =  Di <k<nxkaJk  with 
Xfe  e  Z  and  the  condition  x  €  J-1  can  be  written 

X  xkljUk  €  dZK  for  all  j. 

l<i<n 


If  we  define  coefficients  6  Z  by 


n 

1 jUk  =  X)  ui,j,kUi 

i= 1 

we  are  thus  led  to  the  nm  x  n  system  of  congruences  X)i<fc<n  xkui,j,k  =  0 
(mod  d)  for  all  i  and  j. 

In  the  special  case  where  I  is  a  prime  ideal  as  in  Algorithm  4.8.17,  we 
can  choose  d  =  p  a  prime  number,  and  hence  our  system  of  congruences 
can  be  considered  as  a  system  of  equations  in  the  finite  field  Fp,  and  we  can 
apply  Algorithm  2.3.1  to  find  a  basis  for  the  set  of  solutions.  Here,  I  is  not  a 
prime  ideal  in  general,  and  we  could  try  to  solve  the  system  of  congruences 
by  factoring  d  and  working  modulo  powers  of  primes.  A  better  method  is 
probably  as  follows.  Introduce  extra  integer  variables  ytj.  Then  our  system  is 
equivalent  to  the  nm  x  (n  +  nrn)  linear  system  X)i<fc<n  xkUi,j,k  ~  dyij  =  0  for 
all  i  and  j.  We  must  find  a  Z-basis  of  the  solutions  of  this  system,  and  for  this 
we  use  the  integral  kernel  Algorithm  2.7.2.  The  kernel  will  be  of  dimension  n, 
and  a  Z-basis  of  dl~l  is  then  obtained  by  keeping  only  the  first  n  rows  of  the 
kernel  (corresponding  to  the  variables  xj t). 

In  the  common  case  where  m  =  n,  this  algorithm  involves  n2  x  (n2  +  n) 
matrices,  and  this  becomes  large  rather  rapidly.  Thus  the  algorithm  is  very 
slow  as  soon  as  n  is  at  all  large,  and  hence  we  must  find  a  better  method. 
For  this,  we  introduce  an  important  notion  in  algebraic  number  theory,  the 
different,  referring  to  the  introductory  books  mentioned  at  the  beginning  of 
this  chapter  for  more  details. 

Definition  4.8.18.  Let  K  be  a  number  field.  The  different  Q(K)  of  K  is 
defined  as  the  inverse  of  the  ideal  (called  the  codifferent ) 

{x  €  K,  Tt^/q(xZk)  C  Z}. 


It  is  clear  that  the  different  h(AT)  is  an  integral  ideal.  What  makes  the 
different  interesting  in  our  context  is  the  following  proposition. 

Proposition  4.8.19.  Let  (wi)i<j<n  be  an  integral  basis  and  let  I  be  an  ideal 
°f  Tjk  given  by  an  n  x  n  matrix  M  whose  columns  give  the  coordinates  of  a 
! Z-basis  (7O1  <i<n  of  I  on  the  chosen  integral  basis.  Let  T  =  (tij)  be  the  nxn 
matrix  such  thattij  =  Ttk/q  Then  the  columns  of  the  matrix  (MtT)~1 
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(aqain  considered  as  coordinates  on  our  inteqral  basis)  form  a  ’L-basis  of  the 
ideal  I-^(K)-1 . 

Proof.  First,  note  that  by  definition  of  M,  the  coefficient  of  row  i  and  col¬ 
umn  j  in  M*T  is  equal  to  Ttk/q {liVj).  Furthermore,  if  V  =  (v*)  is  a  column 
vector,  then  V  belongs  to  the  lattice  spanned  by  the  columns  of  (MtT)_1 
if  and  only  if  MtTV  has  integer  coefficients.  This  implies  that  for  all  i 
Tr/c/Q(7i(X)j  vjLOj))  £  ^  in  other  words  that  Ttk/q(xI)  C  Z,  where  we  have 
set  x  =  Y2j  vjUJj-  Since  xl  =  xl Z^,  the  proposition  follows.  □ 

In  particular,  when  I  =  Z k  and  7*  =  cu*  is  an  integral  basis,  this  proposi¬ 
tion  shows  that  a  Z-basis  of  Z>(if)-1  is  obtained  by  computing  the  inverse  of 
the  matrix  TV^/q^o^).  Since  the  determinant  of  this  matrix  is  by  definition 
equal  to  d(K),  this  also  shows  that  Af(D(K))  =  \d(K)\. 

The  following  theorem  is  a  refinement  of  Theorem  4.8.8  (see  [Mar]). 

Theorem  4.8.20.  The  prime  ideals  dividing  the  different  are  exactly  the  ram¬ 
ified  prime  ideals ,  i.e.  the  prime  ideals  whose  ramification  index  is  greater  than 

1. 


To  compute  the  inverse  of  an  ideal  I  given  by  a  Z-basis  7j  represented  by 
an  n  x  n  matrix  M  on  the  integral  basis  as  above,  we  thus  proceed  as  follows. 
Computing  T-1  we  first  obtain  a  basis  of  the  codifferent  D(K)~l.  We  then 
compute  the  ideal  product  ID(K)~1  by  Hermite  reduction  of  an  n  x  n2  matrix 
as  explained  in  Section  4.7.  If  N  is  the  HNF  matrix  of  this  ideal  product,  then 
by  Proposition  4.8.19,  the  columns  (iV*!1)-1  will  form  a  Z-basis  of  the  ideal 

=  J-1,  thus  giving  the  inverse  of  I  after  another  HNF. 
In  paractice,  it  is  better  to  work  only  with  integral  ideals,  and  since  we  know 
that  det(T)  =  d(K),  this  means  that  we  will  replace  0 (if)-1  by  d(K)X)( A)-1 
which  is  an  integral  ideal. 

This  leads  to  the  following  algorithm. 

Algorithm  4.8.21  (Ideal  Inversion).  Given  an  integral  basis  (u>j)i<i<n  of  the 
ring  of  integers  of  a  number  field  K  and  an  integral  ideal  I  given  by  an  n  x  n 
matrix  M  whose  columns  give  the  coordinates  of  a  Z-basis  jj  of  I  on  the  this 
algorithm  computes  the  HNF  of  the  inverse  ideal  J-1. 

1.  [Compute  d(7C)h(iC)-1]  Compute  the  n  x  n  matrix  T  =  (Uj)  such  that 
Uj  =  Ti Kfq(wi0jj).  Set  d  <—  det(T)  (this  is  the  discriminant  d{K)  of  K 
hence  is  usually  available  with  the  u>i  already).  Finally,  call  6j  the  elements  of 
Z/<-  whose  coordinates  on  the  c v*  are  the  columns  of  dT~l  (thus  the  6j  will  be 
a  Z-basis  of  the  integral  ideal  d(A)o(iC)_1). 

2.  [Compute  d{K)It){K)~l]  Let  N  be  the  HNF  of  the  n  x  n2  matrix  whose 
columns  are  the  coordinates  on  the  integral  basis  of  the  n2  products  7 iSj  (the 
columns  of  N  will  form  a  Z-basis  of  d{K)IH{K)~l). 
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3.  [Compute  /-1]  Set  P  <—  d{K)(NtT)~1 ,  and  let  e  be  a  common  denominator 
for  the  entries  of  the  matrix  P.  Let  W  be  the  HNF  of  eP.  Output  (W,  e)  as 
the  HNF  of/-1  and  terminate  the  algorithm. 

The  proof  of  the  validity  of  the  algorithm  is  easy  and  left  to  the  reader.  □ 


Remarks. 

(1)  If  many  ideal  inversions  are  to  be  done  in  the  same  number  field,  step  1 
should  of  course  be  done  only  once.  In  addition,  it  may  be  useful  to  find 
a  two-element  representation  for  the  integral  ideal  d{K)^{K)~l  since  this 
will  considerably  speed  up  the  ideal  multiplication  of  step  2.  Algorithm 
4.7.10  cannot  directly  be  used  for  that  purpose  since  it  is  valid  only  for 
prime  ideals,  but  similar  algorithms  exist  for  general  ideals  (see  Exercise 
30).  In  addition,  if  Z k  =  Z[0]  and  if  P[X ]  is  the  minimal  monic  polynomial 
of  6,  then  one  can  prove  (see  Exercise  33)  that  d(K)  is  the  principal  ideal 
generated  by  P'(9),  so  the  ideal  multiplication  of  step  2  is  even  simpler. 

(2)  If  we  want  to  compute  the  HNF  of  the  different  X)(K)  itself,  we  apply  the 
above  algorithm  to  the  integral  ideal  d(K)X)(l if)-1  (with  M  =  d{K)T~l) 
and  multiply  the  resulting  inverse  by  d(K)  to  get  T){K). 

Now  that  we  know  how  to  compute  the  inverse  of  an  ideal,  we  can  give  an 
algorithm  to  compute  intersections.  This  is  based  on  the  following  formula, 
which  is  valid  if  I  and  J  are  integral  ideals  of  Z k- 

lnJ  =  I-J(I  +  J)-1. 

This  corresponds  to  the  usual  formula  lcm(a,  b)  =  a-  b-  (gcd(a,  6))-1.  We  have 
seen  above  how  to  compute  the  HNF  of  sums  and  products  of  modules,  and 
in  particular  of  ideals,  knowing  the  HNF  of  each  operand.  Since  we  have  just 
seen  an  algorithm  to  compute  the  inverse  of  an  ideal,  this  gives  an  algorithm 
for  the  intersection  of  two  ideals. 

However,  a  more  direct  (and  usually  better)  way  to  compute  the  intersec¬ 
tion  of  two  ideals  is  described  in  Exercise  18. 


4.9  Units  and  Ideal  Classes 

4.9.1  The  Class  Group 


Definition  4.9.1.  Let  K  be  a  number  field  and  Z k  be  the  ring  of  integers  of 
K.  We  say  that  two  (fractional)  ideals  I  and  J  of  K  are  equivalent  if  there 
exists  ol  G  K*  such  that  J  =  otl .  The  set  of  equivalence  classes  is  called  the 
class  group  o/Zk  (or  of  K)  and  is  denoted  Cl(K). 
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Since  fractional  ideals  of  Z k  form  a  group  it  follows  that  Cl(K)  is  also  a 
group.  The  main  theorem  concerning  Cl(K)  is  that  it  is  finite: 

Theorem  4.9.2.  For  any  number  field  K,  the  class  group  Cl(K )  is  a  finite 
Abelian  group,  whose  cardinality,  called  the  class  number,  is  denoted  h(K). 

Denote  by  T{K)  the  set  of  fractional  ideals  of  K,  and  V(K)  the  set  of 
principal  ideals.  We  clearly  have  the  exact  sequence 

1  — ►  V(K)  — >  1{K)  — >  Cl(K)  — ►  1. 

The  determination  of  the  structure  of  Cl(K)  and  in  particular  of  the  class 
number  h(K)  is  one  of  the  main  problems  in  algorithmic  algebraic  number 
theory.  We  will  study  this  problem  in  the  case  of  quadratic  fields  in  Chapter 
5  and  for  general  number  fields  in  Chapter  6. 

Note  that  h(K)  =  1  if  and  only  if  TLk  Is  a  PID  which  in  turn  is  if  and  only 
if  Z k  is  a  UFD.  Hence  the  class  group  is  the  obstruction  to  7Lk  being  a  UFD. 

We  can  also  define  the  class  group  for  an  order  in  K  which  is  not  the 
maximal  order.  In  this  case  however,  since  not  every  ideal  is  invertible,  we 
must  slightly  modify  the  definition. 

Definition  4.9.3.  Let  R  be  an  order  in  K  which  is  not  necessarily  maximal. 
We  define  the  class  group  of  R  and  denote  by  Cl(R)  the  set  of  equivalence 
classes  of  invertible  ideals  of  R  (the  equivalence  relation  being  the  same  as 
before). 

Since  all  fractional  ideals  of  Z#  are  invertible,  this  does  generalize  the 
preceding  definition.  The  class  group  is  still  a  finite  Abelian  group  whose 
cardinality  is  called  the  class  number  of  R  and  denoted  h(R).  Furthermore, 
it  follows  immediately  from  the  definitions  that  the  map  I  i->  I’Lk  from  R- 
ideals  to  Z/^-ideals  induces  a  homomorphism  from  Cl(R)  to  Cl(K)  and  that 
this  homomorphism  is  surjective.  In  particular,  h(R)  is  a  multiple  of  h(K). 

Since  the  discovery  of  the  class  group  in  1798  by  Gauss,  many  results  have 
been  obtained  on  class  groups.  Our  ignorance  however  is  still  enormous.  For 
example,  although  widely  believed  to  be  true,  it  is  not  even  known  if  there  exist 
an  infinite  number  of  isomorphism  classes  of  number  fields  having  class  number 
1  (i.e.  with  trivial  class  group,  or  again  such  that  Z k  Is  a  PID).  Numerical 
and  heuristic  evidence  suggests  that  already  for  real  quadratic  fields  Q{y/p) 
with  p  prime  and  p  =  1  (mod  4),  not  only  should  there  be  an  infinite  number 
of  PID’s,  but  their  proportion  should  be  around  75.446%  (see  [Coh-Lenl], 
[Coh-Mar]  and  Section  5.10). 

Class  numbers  and  class  groups  arise  very  often  in  number  theory.  We  give 
two  examples.  In  the  work  on  Fermat’s  last  “theorem”  (FLT),  it  was  soon  dis¬ 
covered  that  the  obstruction  to  a  proof  was  the  failure  of  unique  factorization 
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in  the  cyclotomic  fields  Q(£p)  where  (p  is  a  primitive  pth  root  of  unity  (a  num¬ 
ber  field  of  degree  p  —  1,  generated  by  the  polynomial  Xp~l  + - h  X  +1), 

where  p  is  an  odd  prime.  It  was  Kummer  who  essentially  introduced  the  no¬ 
tion  of  ideals,  and  who  showed  how  to  replace  unique  factorization  of  elements 
by  unique  factorization  of  ideals,  which  as  we  have  seen,  is  always  satisfied 
in  a  Dedekind  domain.  It  is  however  necessary  to  come  back  to  the  elements 
themselves  in  order  to  finish  the  argument — that  is  to  obtain  a  principal  ideal. 
What  is  obtained  is  that  a?  is  principal  for  some  ideal  a.  Now,  by  definition  of 
the  class  group,  we  also  know  that  ah  is  principal,  where  h  is  the  class  number 
of  our  cyclotomic  field.  Hence,  we  can  deduce  that  a  itself  is  principal  if  p 
does  not  divide  h.  This  fortunately  seems  to  happen  quite  often  (for  example, 
for  22  out  of  the  25  primes  less  than  100);  this  proves  FLT  in  many  cases 
(the  so-called  regular  primes).  One  can  also  prove  FLT  in  other  cases  by  more 
sophisticated  methods. 

The  second  use  of  class  groups,  which  we  will  see  in  more  detail  in  Chapters 
8  and  10,  is  for  factoring  large  numbers.  In  that  case  one  uses  class  groups  of 
quadratic  fields.  For  example,  the  knowledge  of  the  class  group  (in  fact  only 
of  the  2-Sylow  subgroup)  of  Q(y/— N)  is  essentially  equivalent  to  knowing  the 
factors  of  iV,  hence  if  we  can  find  an  efficient  method  to  compute  this  class 
group  or  its  2-Sylow  subgroup,  we  obtain  a  method  for  factoring  N.  This  is 
the  basis  of  work  initiated  by  Shanks  ([Shal])  and  followed  by  many  other 
people  (see  for  example  [Seyl],  [Schn-Len]  and  [Buel]). 


4.9.2  Units  and  the  Regulator 

Recall  that  a  unit  x  in  K  is  an  algebraic  integer  such  that  \[x  is  also  an 
algebraic  integer,  or  equivalently  is  an  algebraic  integer  of  norm  ±1. 

Definition  4.9.4.  The  set  of  units  in  K  form  a  multiplicative  group  which 
we  will  denote  by  U{K).  The  torsion  subgroup  ofU(K),  i.e.  the  group  of  roots 
of  unity  in  K,  will  be  denoted  by 


(Note  that  some  people  write  E(K )  because  of  the  German  word  “Ein- 
heiten”  for  units,  but  we  will  keep  the  letter  E  for  elliptic  curves.) 

It  is  clear  that  we  have  the  exact  sequence 

1  — >  U{K)  — ►  K*  — ►  V{K)  — ►  1, 

where  as  before  V(K)  denotes  the  set  of  principal  ideals  in  K.  If  we  combine 
this  exact  sequence  with  the  preceding  one,  we  can  complete  a  commutative 
diagram  in  the  context  of  ideles,  by  introducing  a  generalization  of  the  class 
group,  called  the  idele  class  group  C(K).  We  will  not  consider  these  subjects 
in  this  course,  but  without  explaining  the  notations  (see  [Lang2])  I  give  the 
diagram: 
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1 - >  U(K) - ►  JSoo  (K) - ►  C5oo  ( K ) - ►  1 


1 - ►  K* - ►  J(K) - ►  C{K) - ►  1 

1 - ►  V(K) - vT{K) - >Cl(K) - ►  1 

1  1  1 
The  main  result  concerning  units  is  the  following  theorem 

Theorem  4.9.5  (Dirichlet).  Let  (ri,r2)  be  the  signature  ofK.  Then  the  group 
U(K )  is  a  finitely  generated  Abelian  group  of  rank  r\  +  r2  —  1.  In  other  words, 
we  have  a  group  isomorphism 

U(K)  ~  n(K)  x  Zri+r2-\ 


and  fJb(K)  is  a  finite  cyclic  group. 

If  we  set  r  =  ri  +  r2  —  1,  we  see  that  there  exist  units  Hi,  . . .  ,  ur  such 
that  every  element  x  of  U (K)  can  be  written  in  a  unique  way  as 

*  =  C  u?1  •  •  • 

where  n*  €  Z  and  £  is  a  root  of  unity  in  K.  Such  a  family  (it*)  will  be  called 
a  system  of  fundamental  units  of  K.  It  is  not  unique,  but  since  changing  a 
Z-basis  of  Z r  into  another  involves  multiplication  by  a  matrix  of  determinant 
±1,  the  absolute  value  of  the  determinant  of  the  Ui  in  some  appropriate  sense, 
is  independent  of  the  choice  of  the  Ui ,  and  this  is  what  we  will  call  the  regulator 
of  K.  The  difficulty  in  defining  the  determinant  comes  because  the  units  form 
a  multiplicative  group.  To  use  determinants,  one  must  linearize  the  problem, 
i.e.  take  logarithms. 

Let  cri,  . . .  ,  crri,  crri+ 1,  . . .  ,  <Jri+r2  be  the  first  r\  +  r2  embeddings  of  K  in 
C,  where  the  for  i  <  r\  are  the  real  embeddings,  and  the  other  embeddings 
are  the  <7i  and  Wi  =  ar2+i  for  i  >  r\. 


Definition  4.9.6.  The  logarithmic  embedding  of  K*  in  Mri+r2  is  the  map 
L  which  sends  x  to 
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L(x)  =  (In  |  <7i  (x)  | , . . . ,  In  | <rri  (x)  | ,  2  In  |<7n + 1  (x)  | , . . . ,  2  In  |crri + ra  (x)  | ) . 


It  is  clear  that  L  is  an  Abelian  group  homomorphism.  Furthermore,  we 
clearly  have  In  |  Nk/q(x)\  =  Z)i<i<ri+r2  Li(x)  where  Li{x)  denotes  the  zth 
component  of  L(x).  It  follows  that  the  image  of  the  subgroup  of  K*  of  elements 
of  norm  equal  to  ±1  is  contained  in  the  hyperplane  J1<j<fl+rj  x»  =  0  of 
Rr!+p2. 

The  first  part  of  the  following  theorem  is  essentially  a  restatement  of 
Theorem  4.9.5,  and  the  second  part  is  due  to  Kronecker  (see  Exercise  25). 

Theorem  4.9.7. 

(1)  The  image  of  the  group  of  units  U{K)  under  the  logarithmic  embedding 
is  a  lattice  (of  rank  n  +  r*2  —  l)  in  the  hyperplane  Z]i<i<ri+r2  x%  =  ®  °f 
Rri+r2. 

(2)  The  kernel  of  the  logarithmic  embedding  is  exactly  equal  to  the  group 
of  the  roots  of  unity  in  K. 


Definition  4.9.8.  The  volume  of  this  lattice,  i.e.  the  absolute  value  of  the 
determinant  of  any  "L-basis  of  the  above  defined  lattice  is  called  the  regulator 
of  K  and  denoted  R(K).  If  u\,  ur  is  a  system  of  fundamental  units  of  K 
( where  r  =  ri  +  7~2  —  1 ),  R(K )  can  also  be  defined  as  the  absolute  value  of  the 
determinant  of  any  of  the  r  x  r  matrices  extracted  from  the  rx(r  +  l)  matrix 


111  (Jj\XLi )  l<i<r,l<_7<r+l ) 


....O 

where  ||a(x)||  =  |cr(x)|  if  a  is  a  real  embedding  and  ||<7(x)||  =  |<7(x)|‘“  if  a  is  a 
complex  embedding  (note  that  L(x)  =  (In  ||<7i(x)||)i<i<r+ij- 

The  problem  of  computing  regulators  (or  fundamental  units)  is  closely 
linked  to  the  problem  of  computing  class  numbers,  and  is  one  of  the  other 
main  tasks  of  computational  algebraic  number  theory. 

On  the  other  hand,  the  problem  of  computing  the  subgroup  of  roots  of 
unity  pb(K)  is  not  difficult.  Note,  for  example,  that  if  r\  >  0  then  pb{K)  =  {±1} 
since  all  other  roots  of  unity  are  non-real.  Hence,  we  can  assume  r\  =  0, 
and  by  the  above  theorem  we  must  find  integers  x±  such  that  for  every  j, 
\cr3(12i<i<nxiUJi)\2  =  1  where  u)i  is  an  integral  basis  of  Z^r-  If  we  set  x  = 
(*i,  •  •  • ,  xn),  this  implies  that 

3(x)  =  M  x<w<)|2  =  n ■ 

j  i<i<n 

Conversely,  the  inequality  between  arithmetic  and  geometric  mean  shows  that 
if  p  €  Z k  \  {0},  then 
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EMp)i2>»(ntowi)j/n^n 

3  3 

with  equality  if  and  only  if  all  \o’j(p)\2  are  equal.  It  follows  that  n  is  the  min¬ 
imum  non-zero  value  of  the  quadratic  form  Q  on  Zn,  and  that  this  minimum 
is  attained  when  \<7j(p)\  =  1  for  all  j,  where  p  =  Ylixi(jJi-  Finally,  Theorem 
4.9.7  (2)  tells  us  that  such  a  p  is  a  root  of  unity  (see  Exercise  25).  Hence,  the 
computation  of  the  minimal  vectors  of  the  lattice  (Z n,Q)  using,  for  example, 
the  Fincke-Pohst  Algorithm  2.7.7,  will  give  us  quite  rapidly  the  set  of  roots  of 
unity  in  K.  Thus  we  have  the  following  algorithm. 

Algorithm  4.9.9  (Roots  of  Unity  Using  Fincke-Pohst).  Let  K  =  Q(0)  be  a 
number  field  of  degree  n  and  T  the  minimal  monic  polynomial  of  9  over  Q.  This 
algorithm  computes  the  order  w(K )  of  the  group  of  roots  of  unity  fJt(K)  of  K 
(hence  pt(K)  will  be  equal  to  the  set  of  powers  of  a  primitive  w(K)- th  root  of 
unity). 

1.  [Initialize]  Using  Algorithm  4.1.11  compute  the  signature  (ri,  r2)  of  K.  If  rq  > 
0,  output  w(K)  =  2  and  terminate  the  algorithm.  Otherwise,  using  Algorithm 

6.1.8  of  Chapter  6,  compute  an  integral  basis  uq . wn  of  K  as  polynomials 

in  9. 

2.  [Compute  matrix]  Using  Algorithm  3.6.6,  compute  a  reasonably  accurate  value 
of  9  and  its  conjugates  &j{9 )  as  the  roots  of  T,  then  the  numerical  values  of 
crj({jJk).  Finally,  compute  a  reasonably  accurate  approximation  to 

l<rC<n 

(note  that  this  will  be  a  real  number),  and  let  A  be  the  symmetric  matrix 

A  —  (Q'i,j')l<i)j<n- 

3.  [Apply  Fincke-Pohst]  Apply  Algorithm  2.7.7  to  the  matrix  A  and  the  constant 
C  =  n  +  0.1. 

4.  [Final  check]  Set  s  <—  0.  For  each  pair  (x,  — x)  with  (aq,...,xn)  which  is 
output  by  Algorithm  2.7.7,  set  p  <—  J2i<i<nxi^i>  and  set  s  <—  5  +  1  if  p  is 
a  root  of  unity  (this  can  be  checked  exactly  in  several  easy  ways,  see  Exercise 
26). 

5.  Output  w(K)  <—  2s  and  terminate  the  algorithm. 


Remark.  The  quadratic  form  Q  considered  here  is,  not  surprisingly,  the  same 
as  the  one  that  we  used  for  the  polynomial  reduction  Algorithm  4.4.11.  Note 
however  that  in  POLRED  we  only  wanted  small  vectors  in  the  lattice,  cor¬ 
responding  to  algebraic  numbers  of  degree  exactly  equal  to  n,  while  here  we 
want  the  smallest  vectors,  and  they  correspond  in  general  to  algebraic  num¬ 
bers  of  degree  less  than  n.  Note  also  that  in  practice  all  the  vectors  output  in 
step  4  correspond  to  roots  of  unity. 
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We  can  also  give  an  algorithm  based  on  those  of  Section  4.5.3  as  follows. 


Algorithm  4.9.10  (Roots  of  Unity  Using  the  Subfield  Problem).  Let  K  = 
Q(0)  be  a  number  field  of  degree  n  and  T  the  minimal  monic  polynomial  of  9  over 
Q.  This  algorithm  computes  the  order  w(K)  of  the  group  of  roots  of  unity 
of  K  (hence  ii{K)  will  be  equal  to  the  set  of  powers  of  a  primitive  w(K)-th  root 
of  unity). 

1.  [Initialize]  Using  Algorithm  4.1.11  compute  the  signature  (ri,f2)  of  K.  If  r i  > 
0,  output  w(K)  =  2  and  terminate  the  algorithm.  Otherwise,  using  Algorithm 
6.1.8  of  Chapter  6,  compute  the  discriminant  d(K)  of  K,  and  set  w  *—  1. 

2.  [Compute  primes]  Let  C  be  the  list  of  primes  p  such  that  (p  —  1)  |  n  (since  n 
is  very  small,  C  can  be  simply  obtained  by  trial  division).  Let  c  be  the  number 
of  elements  of  £,  and  set  i  *—  0. 

3.  [Get  next  prime  and  exponent]  Set  i  *—  i  +  1.  \f  i  >  c  output  w  and  terminate 
the  algorithm.  Otherwise,  let  p  be  the  i-th  element  in  the  list  C,  set 


k 


Md(K))  }  1 

n  p  —  1 


and  set  j  <—  0. 

4.  [Test  cyclotomic  polynomials]  Set  j  <—  j  +  1.  If  j  >  k,  go  to  step  3.  Oth¬ 
erwise,  applying  Algorithm  4.5.4  to  A(X)  =  $pj(X)  and  B(X )  =  T(X) 

(where  4>pj(X)  =  X3i=o 1  's  the  p?- th  cyclotomic  polynomial)  deter¬ 
mine  whether  K  has  a  subfield  isomorphic  to  Q(Cpj)  (where  ( \p>  is  some  root 
of  $pj(X),  i.e.  a  primitive  pP- th  root  of  unity).  If  it  does,  go  to  step  4,  and  if 
not,  set  w  <—  wpP~x  and  go  to  step  3. 


Remarks. 

(1)  The  validity  of  the  check  in  step  3  follows  from  Exercise  24  and  Proposition 
4.4.8.  We  can  avoid  the  computation  of  the  discriminant  of  K ,  and  skip 
this  step,  at  the  expense  of  spending  more  time  in  step  4. 

(2)  We  refer  to  [Was]  or  [Ire-Ros]  for  cyclotomic  fields  (which  we  will  meet 
again  in  Chapter  9)  and  cyclotomic  polynomials.  The  (general)  cyclotomic 
polynomials  can  be  computed  either  by  induction  or  by  the  explicit  for¬ 
mula 

$m(X)  =Y[(Xd-l)li{m/d) 

d\m 

where  p(n)  is  the  Mobius  function,  but  in  our  case  this  simplifies  to  the 
formula 

p-i  _ 

<M*)  =  XT<pi~‘ 

i= 0 


used  in  the  algorithm. 
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(3)  Although  Algorithm  4.9.10  is  more  pleasing  to  the  mind,  Algorithm  4.9.9 
is  considerably  faster  and  should  therefore  be  preferred  in  practice.  Care 
should  be  taken  however  to  be  sufficiently  precise  in  the  computation  of  the 
numerical  values  of  the  coefficients  of  Q.  We  have  given  in  detail  Algorithm 
4.9.10  to  show  that  an  exact  algorithm  also  exists. 


All  the  quantities  that  we  have  defined  above  are  tied  together  if  we  view 
them  analytically. 


Definition  4.9.11.  Let  K  be  a  number  field.  We  define  for  Re(s)  >  1  the 
Dedekind  zeta  function  (k{s)  of  K  by  the  formulas 


Ck(s)  =  Y 

a 


i 


n 


i 

— 


my 


where  the  sum  is  over  all  non-zero  integral  ideals  of  Z k  and  the  product  is 
over  all  non-zero  prime  ideals  o/Z^. 


The  equality  between  the  two  definitions  follows  from  unique  factorization 
into  prime  ideals  (Theorem  4.6.14),  and  the  convergence  for  Re(s)  >  1  is 
proved  in  Exercise  22. 

The  basic  theorem  concerning  this  function  is  the  following. 

Theorem  4.9.12  (Dedekind).  Let  K  be  a  number  field  of  degree  n  having  r\ 
real  places  and  r2  complex  ones  (so  r\  +  2t*2  =  n).  Denote  by  d(K),  h{K), 
R{K)  andw(K)  the  discriminant,  class  number,  regulator  and  number  of  roots 
of  unity  of  K  respectively. 

(1)  The  function  Ck(s)  can  be  analytically  continued  to  the  whole  complex 
plane  into  a  meromorphic  function  having  a  single  pole  at  s  =  1  which  is 
simple. 

(2)  If  we  set 

a W  =  \d(K)\°/2  (’f',r(f))ri+ri^-'*1r^^^,’,CK(s) 

we  have  the  functional  equation 

A(1  —  s)  =  A(s). 

(3)  If  we  set  r  =  ri+  r2  —1  (which  is  the  rank  of  the  unit  group),  (k(s)  has 
a  zero  of  order  r  at  s  =  0  and  we  have 


lims-rCx(s)  =  -h{K)R{K)w{K)~l . 
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(4)  Equivalently  by  the  functional  equation,  the  residue  of  Ck{s)  at  s  =  1  is 
given  by 


lim(s-l)CK(s)  =  2r‘(27r)ri 

s — ►  1 


h(K)R(K) 

w{K).MK)\' 


This  theorem  shows  one  among  numerous  instances  where  h{K)  and  R{K) 
are  inextricably  linked. 


Remarks. 

(1)  Prom  this  theorem  it  is  easily  shown  (see  Exercise  23)  that  if  Nk{x)  de¬ 
notes  the  number  of  integral  ideals  of  norm  less  than  or  equal  to  x,  then 


Dm  M=r(2,rJSM L. 

x  w{K)y/\d(K)\ 


(2)  It  is  also  possible  to  prove  the  following  generalization  of  the  prime  number 
theorem  (see  [Lang2]). 


Theorem  4.9.13.  Let  n  k(x)  (resp.  tt^(x)  )  be  the  number  of  prime  ideals 
(resp.  prime  ideals  of  degree  1)  whose  norm  is  less  than  equal  to  x.  Then 


..  Kpsix) 

lim  — !— 

*-+oo  x/  ln(x) 


t  7r^(x) 

hm  n  t  \ 
x-kx>  x/  ln(x) 


=  1. 


Dedekind’s  Theorem  4.9.12  shows  that  the  behavior  of  (k(s)  at  5  =  0  and 
s  =  1  is  linked  to  fundamental  arithmetic  invariants  of  the  number  field  K. 
Siegel  proved  that  the  values  at  negative  integers  are  rational  numbers,  hence 
they  also  have  some  arithmetic  significance.  From  the  functional  equation  it 
is  immediately  clear  that  Ckt(s)  vanishes  for  all  negative  integers  s  if  K  is 
not  totally  real,  and  for  even  negative  integers  if  K  is  totally  real.  Hence,  the 
only  interesting  values  are  the  £#(1  —  2m)  for  totally  real  fields  K  (7*2  =  0) 
and  positive  integral  m.  There  are  special  methods,  essentially  due  to  Siegel, 
for  computing  these  values  using  the  theory  of  Hilbert  modular  forms.  As 
an  example,  we  give  the  following  result,  which  also  shows  the  arithmetic 
significance  of  these  values  (see  [Coh],  [Zagl]). 

Theorem  4.9.14.  Let  K  =  Q(\/Z))  be  a  real  quadratic  field  of  discriminant 
D.  Define  cr(n)  to  be  equal  to  the  sum  of  the  positive  divisors  of  n  if  n  is 
positive,  and  equal  to  0  otherwise.  Then 
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(1) 


(2) 


c*(_1)=io  ^ 


D-s ' 


s=D  (mod  2) 


( this  is  a  finite  sum). 

The  number  rs(D)  of  representations  of  D  as  a  sum  of  5  squares  of  ele¬ 
ments  ofL  (counting  representations  with  a  different  ordering  as  distinct) 
is  given  by 

r5(D)  =  48^5-2^VK(-l) 


( this  formula  must  be  slightly  modified  if  D  is  not  the  discriminant  of  a 
real  quadratic  field,  see  [ Coh2 j). 


I  have  already  mentioned  how  little  we  know  about  class  numbers.  The 
same  can  be  said  about  regulators.  For  example,  we  can  define  the  regulator  of 
a  number  field  in  ap-adic  context,  essentially  by  replacing  the  real  logarithms 
by  p-adic  ones.  In  that  case,  even  an  analogue  of  Dirichlet’s  theorem  that  the 
regulator  does  not  vanish  is  not  known.  This  is  a  famous  unsolved  problem 
known  as  Leopoldt’s  conjecture.  It  is  known  to  be  true  for  some  classes  of 
fields,  for  example  Abelian  extensions  of  Q  (see  [Was]  Section  5.5). 

We  do  have  a  theorem  which  gives  a  quantitative  estimate  for  the  product 
of  the  class  number  and  the  regulator  (see  [Sie],  [Brau]  and  [Lang2]): 

Theorem  4.9.15  (Brauer-Siegel).  Let  K  vary  in  a  family  of  number  fields 
such  that  tends  to  infinity,  where  d(K)  is  the  discriminant  of 

K.  Assume,  in  addition,  that  these  fields  are  Galois  over  Q.  Then,  we  have 
the  following  asymptotic  relation: 

In (h(K)R{K))  ~  ln(| d{K)\1/2). 


This  shows  that  the  product  h(K)R(K)  behaves  roughly  as  the  square  root 
of  the  discriminant.  The  main  problem  with  this  theorem  is  that  it  is  non- 
effective,  meaning  that  nobody  knows  how  to  give  explicit  constants  to  make 
the  ~  sign  disappear.  For  example,  for  imaginary  quadratic  fields,  r  =  0  hence 
R{K)  —  1,  and  although  the  Brauer-Siegel  theorem  tells  us  that  h(K)  tends 
to  infinity  with  \d(K)\,  and  even  much  more,  the  problem  of  finding  an  explicit 
function  f(d)  tending  to  infinity  with  d  and  such  that  h(K)  >  f(\d(K)\)  is 
extremely  difficult  and  was  only  solved  recently  using  sophisticated  methods 
involving  elliptic  curves  and  modular  forms,  by  Goldfeld,  Gross  and  Zagier 
([Gol],  [Gro-Zag2]). 

Note  that  one  conjectures  that  the  theorem  is  still  true  without  the 
hypothesis  that  the  fields  are  Galois  extensions.  This  would  follow  from 
Artin’s  conjecture  on  non-Abelian  L-functions  and  on  certain  Generalized 
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Riemann  Hypotheses.  On  the  other  hand,  one  can  prove  that  the  hypothe¬ 
sis  on  |d(R')|1/deg^)  is  necessary.  The  following  is  a  simple  corollary  of  the 
Brauer-Siegel  Theorem  4.9.15: 

Corollary  4.9.16.  Let  K  vary  over  a  family  of  number  fields  of  fixed  degree 
over  Q.  Then,  as  \d(K)\  — ►  oo,  we  have 

In (h(K)R(K))  ~  ln(|<i(A-)|1/2). 


4.9.3  Conclusion:  the  Main  Computational  Tasks  of  Algebraic 
Number  Theory 

From  the  preceding  definitions  and  results,  it  can  be  seen  that  the  main  com¬ 
putational  problems  for  a  number  field  K  =  Q(9)  are  the  following: 

(1)  Compute  an  integral  basis  of  ZK,  determine  the  decomposition  of  prime 
numbers  in  Z k  and  p-adic  valuations  for  given  ideals  or  elements. 

(2)  Compute  the  Galois  group  of  the  Galois  closure  of  K. 

(3)  Compute  a  system  of  fundamental  units  of  K  and/or  the  regulator  R(K). 
Note  that  these  two  problems  are  not  completely  equivalent,  since  for 
many  applications,  only  the  approximate  value  of  the  real  number  R{K) 
is  desired.  In  most  cases,  by  the  Brauer-Siegel  theorem,  the  fundamental 
units  are  too  large  even  to  write  down,  at  least  in  a  naive  manner  (see 
Section  5.8.3  for  a  representation  which  avoids  this  problem). 

(4)  Compute  the  class  number  and  the  structure  of  the  class  group  Cl(K).  It 
is  essentially  impossible  to  do  this  without  also  computing  the  regulator. 

(5)  Given  an  ideal  of  Z#,  determine  whether  or  not  it  is  principal,  and  if  it 
is,  compute  a  €  K  such  that  I  =  aZ k- 

In  the  rest  of  this  book,  we  will  give  algorithms  for  these  tasks,  placing 
special  emphasis  on  the  case  of  quadratic  fields. 

Although  they  are  all  rather  complex,  some  sophisticated  versions  are  quite 
efficient.  With  fast  computers  and  careful  implementations,  it  is  possible  to 
tackle  the  above  tasks  for  quadratic  number  fields  whose  discriminant  has  50 
or  60  decimal  digits  (less  for  general  number  fields).  Work  on  this  subject  is 
currently  in  progress  in  several  places. 


4.10  Exercises  for  Chapter  4 

1.  (J.  Martinet)  Let  P{X)  =  X4  +  aX3  +  bX2  +  cX  +  d  6  R[X]  be  a  squarefree 

polynomial.  Set  D  <—  disc(P),  A<—3a2  —  8b,  B  <—  b2  —  a26  +  (3/16)a4  +  ac— Ad. 
Show  that  the  signature  of  P  is  given  by  the  following  formulas.  (ri,r2)  =  (2, 1) 
iff  D  <  0,  (ri,r2)  =  (4, 0)  iff  D  >  0,  A  >  0  and  B  >  0,  and  (ri,r2)  =  (0,2)  iff 
D>  0  and  either  A  <  0  or  B<0.  (Hint:  use  Exercise  29  of  Chapter  3.) 
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2.  If  a  and  6  are  two  algebraic  numbers  of  degree  n  generating  the  same  number 
field  K  over  Q,  write  an  algorithm  to  find  the  standard  representation  of  6  in 
terms  of  a  knowing  the  standard  representation  of  a  in  terms  of  0. 

3.  Prove  Newton’s  formulas  (i.e.  Proposition  4.3.3). 

4.  Compute  the  minimal  polynomial  of  a  =  2 +  21/2  using  several  methods,  and 
compare  their  efficiency. 

5.  Let  AT  be  a  number  field  of  signature  (ri,r2).  Using  the  canonical  isomorphism 


AT  0  R  ~  Rn  x  Cr2 


show  that  the  quadratic  form  TrK/q(x2)  has  signature  (ri  +  7*2,  r^)- 

6.  Prove  that  if  P  =  akXk  is  a  monic  polynomial  and  if  S  =  size(P)  in  the 

sense  of  Section  4.4.2,  then 


|Un  —  k  5; 


and  that  the  constant  is  best  possible  if  P  is  assumed  to  be  with  complex  (as 
opposed  to  integral)  coefficients  (hint:  use  a  variational  principle). 

7.  (D.  Shanks.)  Using  for  example  Algorithm  4.4.11,  show  the  following  “incredible 
identity”  A  =  B,  where 

A  =  V 5  +  V22  +  2V5 

and 

B  =  \/ll  +  2v/29  +\/l6  — 2\/29  +  2\/55-  10>/29. 

See  [Sha4]  for  an  explanation  of  this  phenomenon  and  other  examples.  See  also 
[BFHT]  and  [Zip]  for  the  general  problem  of  radical  simplification. 

8.  Consider  modifying  the  POLRED  algorithm  as  follows.  Instead  of  the  quadratic 
form  size(P),  we  take  instead 


/(P)  =  ^|ai-aJ|2, 

i<j 

which  is  still  a  quadratic  form  in  the  n  variables  Xi  when  we  write  a  =  XiU>i. 

Experiment  on  this  to  compare  it  with  POLRED,  and  in  particular  see  whether 
it  gives  a  larger  number  of  proper  subfields  of  AT  or  a  smaller  index. 

9.  Prove  Proposition  4.5.3. 

10.  Write  an  algorithm  which  outputs  all  quadratic  subfields  of  a  given  number  field. 

11.  Let  A  be  a  Noetherian  integral  domain.  Show  that  any  non-zero  ideal  of  R 
contains  a  product  of  non-zero  prime  ideals. 

12.  Let  di  and  cfe  be  coprime  integers  such  that  d  =  d\ cfc  £  /,  where  I  is  an  integral 
ideal  in  a  number  field  K.  Show  that  /  =  I\h  where  Ii  =  I  +  diZK,  and  show 
that  this  is  false  in  general  if  d\  and  cfe  are  not  assumed  to  be  coprime. 

13.  Let  R  be  an  order  in  a  number  field,  and  let  I  and  J  be  two  ideals  in  R.  Assume 
that  /  is  a  maximal  (i.e.  non-zero  prime)  ideal.  Show  that  Af(I)Af(J)  \  N{IJ) 
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and  that  M(I2)  =  N(I)2  if  and  only  if  I  is  invertible.  (Note  that  these  two 
results  are  not  true  anymore  if  I  is  not  assumed  maximal.) 

14.  Let  ft  be  an  order  in  a  number  field.  For  any  non-zero  integral  ideal  of  R,  set 
/(/)  =  [ft  :  II']  where  as  in  Lemma  4.6.7  we  set  I'  =  {x  G  K,  xl  C  ft}.  This 
function  can  be  considered  as  a  measure  of  the  non-invertibility  of  the  ideal  I. 

a)  If  /  is  a  maximal  ideal,  show  that  either  I  is  invertible  (in  which  case 
/(/)  =  1)  or  else  /(/)  =  M(I). 

b)  Generalizing  Proposition  4.6.8,  show  that  if  I  and  J  are  two  ideals  such 
that  /(/)  and  f(J)  are  coprime,  we  still  have  M{IJ)  =  M{I)M{J). 

15.  (H.  W.  Lenstra)  Let  a  be  an  algebraic  number  which  is  not  necessarily  an 

algebraic  integer,  and  let  anftn  +  an-iftTl-1-l - t-ao  be  its  minimal  polynomial. 

Set 

Z[o:]  =  Z  +  (a.no:)Z  +  (ana  4-  an_i cc)Z  -!-•••. 

a)  Show  that  Z[ct]  is  an  order  of  K,  and  that  its  definition  coincides  with 
the  usual  one  when  a  is  an  algebraic  integer. 

b)  Show  that  Proposition  4.4.4  (2)  remains  valid  if  T  €  Z[X]  is  not  assumed 
to  be  monic,  if  we  use  this  generalized  definition  for  Z[6].  How  should  Proposition 
4.4.4  (1)  be  modified? 

16.  Show  that  the  converse  of  Theorem  4.7.5  is  not  always  true,  in  other  words  if 
(W,  d)  is  a  HNF  representation  of  a  Z-module  M  satisfying  the  properties  given 
in  the  theorem,  show  that  M  is  not  always  a  Z[<9] -module. 

17.  Assume  that  W  is  a  HNF  of  an  ideal  I  of  ft  with  respect  to  a  basis  ai  =  1, 
02,  ...  ,  an  of  ft.  Show  that  it  is  still  true  that  Witi  \  wi,i  for  all  i,  and  that  if 
Wi,i  =  ti/i,i  then  Wj,i  =  0  for  j  ^  i. 

18.  Show  that  by  using  Algorithms  2.4.10  or  2.7.2  instead  of  Algorithm  2.3.1,  Al¬ 
gorithm  2.3.9  can  be  used  to  compute  the  intersection  of  two  Z-modules,  and  in 
particular  of  two  ideals.  Compare  the  efficiency  of  this  method  with  that  given 
in  the  text. 

19.  Let  p  be  a  (non-zero)  prime  ideal  in  Z k  for  some  number  field  K,  and  assume 
that  p  is  not  above  2.  If  x  €  Z k,  show  that  there  exists  a  unique  e  €  {—1, 0,  +1} 
such  that 

a.(A/'(p)-l)/2  _  £  (mo(j 

where  we  write  x  =  y  (mod  p)  if  x  —  y  e  p.  This  e  is  called  a  “generalized 
Legendre  symbol”  and  denoted  (^) .  Study  the  generalization  to  this  symbol  of 
the  properties  of  the  ordinary  Legendre  symbol  seen  in  Chapter  1. 

20.  Show  that  the  condition  vp{N{oc))  =  /  of  Lemma  4.7.9  is  not  a  necessary  con¬ 
dition  for  p  to  be  equal  to  ( p ,  a)  (hint:  decompose  a  and  pZk  as  a  product  of 
prime  ideals). 

21.  Using  the  notation  of  Algorithm  4.8.17,  show  that  if  the  prime  p  does  not  divide 
the  index  [ft  :  Z[0]],  then  pv  \  An,n  is  equivalent  to  pv  divides  all  the  coefficients 
of  the  matrix  A. 

22.  Let  s  be  a  real  number  such  that  s  >  1.  Show  that  if  ft  is  a  number  field 
of  degree  n  we  have  Of(s)  <  Cn(s)  where  £(s)  =  Cq(s)  is  the  usual  Riemann 
zeta  function,  and  hence  that  the  product  and  series  defining  Ck(s)  converge 
absolutely  for  Re(s)  >  1. 
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23.  If  AT  is  a  number  field,  let  Nk(x)  be  the  number  of  integral  ideals  of  Z k  of 
norm  less  than  or  equal  to  x.  Using  Theorem  4.9.12,  and  a  suitable  Tauberian 
theorem,  find  the  limit  as  x  tends  to  infinity  of  Nk(x)  jx. 

24.  Let  K  =  Q(Cpfc)  where  p  is  a  prime  and  denotes  a  primitive  m-th  root  of 
unity.  One  can  show  that  Z k  =  Z  [Cpk].  Using  this,  compute  the  discriminant  of 
the  field  K ,  and  hence  show  the  validity  of  the  formula  in  Step  3  of  Algorithm 
4.9.10. 

25.  Let  a  be  an  algebraic  integer  of  degree  d  all  of  whose  conjugates  have  absolute 
value  1. 

a)  Show  that  for  every  positive  integer  fc,  the  monic  minimal  polynomial  of 
ak  in  Z[X]  has  all  its  coefficients  bounded  in  absolute  value  by  2d. 

b)  Deduce  from  this  that  there  exists  only  a  finite  number  of  distinct  powers 
of  a,  hence  that  a  is  a  root  of  unity.  (This  result  is  due  to  Kronecker.) 

26.  Let  p  £  Z k  be  an  algebraic  integer  given  as  a  polynomial  in  9,  where  K  =  Q(0) 
and  T  is  the  minimal  monic  polynomial  of  9  in  Z\X\.  Give  algorithms  to  check 
exactly  whether  or  not  p  is  a  root  of  unity,  and  compare  their  efficiency. 

27.  Let  K  =  <Q>[0]  where  9  is  a  root  of  the  polynomial  XA  + 1.  Show  that  the  subgroup 
of  roots  of  unity  of  K  is  the  group  of  8-th  roots  of  unity.  Show  that  1  +  y/2  is 
a  generator  of  the  torsion-free  part  of  the  group  of  units  of  K.  What  is  the 
regulator  of  K?  (Warning:  it  is  not  equal  to  ln(l  +  \/2)). 

28.  Let  p  be  a  (non-zero)  prime  ideal  in  Z k  for  some  number  field  K,  let  e  =  e(p/p) 
be  its  ramification  index,  let  p  =  pZk  +  olLk  be  a  two-element  representation 
of  p,  and  finally  let  v  =  vp (a).  Let  a  >  1  and  b  >  1  be  integers.  By  computing 
q-adic  valuations  for  each  prime  ideal  q,  show  that 

pa ZK  +  abZK  =  pmin{ae’bv) . 


Deduce  from  this  formulas  for  computing  explicitly  pfc  for  any  k  >  1. 


29. 


Let  /  be  an  integral  ideal  in  a  number  field  K  and  let  1{I)  be  the  positive 
generator  of  I  fl  Z. 
a)  Show  that 


n 


pmaxPlp  r  Vv  U)/e(P  /p)  1 


p|Af(/) 


b)  Let  a  £  I  be  such  that  (Af(I),J\f(a)/ J\f(I))  =  1.  Show  that 


I  =  £(I)Zk  +  olLk  —  N(I)Zk  +  oi&K 


(this  is  a  partial  generalization  of  Lemma  4.7.9). 

c)  Deduce  from  this  an  algorithm  for  finding  a  two-element  representation 
of  I  analogous  to  Algorithm  4.7.10. 

30.  Let  K  =  Q[0]  be  a  number  field,  where  9  is  an  algebraic  integer  whose  minimal 
monic  polynomial  is  P(X )  €  Z[X].  Assume  that  Z k  =  Z\9].  Show  that  the 
different  t>  (K)  is  the  principal  ideal  generated  by  P'(9). 

31.  Let  I  and  J  be  two  integral  ideals  in  a  number  field  K  given  by  their  HNF 
matrices  Mi  and  Mj.  Assume  that  I  and  J  are  coprime,  i.e.  that  I  +  J  =  Z k- 
Give  an  algorithm  which  finds  i  £  I  and  j  £  J  such  that  i  +  j  =  1. 
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32.  a)  Using  the  preceding  exercise,  give  an  algorithm  wich  finds  explicitly  the 
element  (3  €  Zk  whose  existence  is  proven  in  Proposition  4.7.7. 

b)  Deduce  from  this  an  algorithm  which  finds  a  two-element  representation 
I  =  olLk  +  (3Zk  of  an  integral  ideal  I  given  a  non-zero  element  a  £  I. 

c)  In  the  case  where  a  =  £(I),  compare  the  theoretical  and  practical  perfor¬ 
mance  of  this  algorithm  with  the  one  given  in  Exercise  29. 

33.  Let  a  and  (3  be  non-zero  elements  of  K*.  Show  that  there  exist  u  and  v  in  Z k 
such  that  aj3  =  ua£  +  vf3* ,  and  give  an  algorithm  for  computing  u  and  v. 

34.  Modify  Proposition  4.3.4  so  that  it  is  still  valid  when  T(X )  €  Q[^]  and  not 
necessarily  monic. 


Chapter  5 

Algorithms  for  Quadratic  Fields 


5.1  Discriminant,  Integral  Basis  and  Decomposition  of 
Primes 

In  this  chapter,  we  consider  the  simplest  of  all  number  fields  that  are  dif¬ 
ferent  from  Q,  i.e.  quadratic  fields.  Since  n  =  2  =  r\  -f  2r2,  the  signature 
(r i ,  T2)  of  a  quadratic  field  K  is  either  (2,0),  in  which  case  we  will  speak 
of  real  quadratic  fields,  or  (0,1),  in  which  case  we  will  speak  of  imaginary 
(or  complex)  quadratic  fields.  By  Proposition  4.8.11  we  know  that  imaginary 
quadratic  fields  are  those  of  negative  discriminant,  and  that  real  quadratic 
fields  are  those  with  positive  discriminant. 

Furthermore,  by  Dirichlet’s  unit  theorem,  the  rank  of  the  group  of  units 
is  ri  +  r2  —  1,  hence  it  can  be  equal  to  zero  only  in  two  cases:  either  7*1  =  1, 
r2  =  0,  hence  n  =  1  so  K  =  Q,  a  rather  uninteresting  case  (see  below  however). 
Or,  n  =  0  and  r2  =  1,  hence  n  =  2,  and  this  corresponds  to  imaginary 
quadratic  fields.  One  reason  imaginary  quadratic  fields  are  simple  is  that  they 
are  the  only  number  fields  (apart  from  Q)  with  a  finite  number  of  units  (almost 
always  only  2).  We  consider  them  first  in  what  follows.  However,  a  number  of 
definitions  and  simple  results  can  be  given  uniformly. 

Since  a  quadratic  field  K  is  of  degree  2  over  Q,  it  can  be  given  by  K  =  Q(0) 
where  0  is  a  root  of  a  monic  irreducible  polynomial  of  Z[X],  say  T(X)  = 
X2  -f  aX  +  b.  If  we  set  O'  =  26  4- a,  then  9'  is  a  root  of  X2  =  a2  —  b  =  d.  Hence, 
K  =  Q (Vd)  where  d  is  an  integer,  and  the  irreducibility  of  T  means  that  d  is 
not  a  square.  Furthermore,  it  is  clear  that  Q{y/df2)  =  Q(\/d),  hence  we  may 
assume  d  squarefree.  The  discriminant  and  integral  basis  problem  is  easy. 

Proposition  5.1.1.  Let  K  =  Q(\/d)  be  a  quadratic  field  with  d  squarefree 
and  not  a  square  (i.e.  different  from  1 ).  Let  1,  u;  be  an  integral  basis  and  d(K ) 
the  discriminant  of  K.  Then,  if  d  =  1  (mod  4),  we  can  take  u  =  (1  4-  \fd)j 2, 
and  we  have  d(K)  =  d,  while  if  d  =  2  or  3  (mod  4),  we  can  take  uj  =  Vd  and 
we  have  d(K)  =  4 d. 

This  is  well  known  and  left  as  an  exercise.  Note  that  we  can,  for  example, 
appeal  to  Corollary  4.4.7,  which  is  much  more  general. 

For  several  reasons,  in  particular  to  avoid  making  unnecessary  case  dis¬ 
tinctions,  it  is  better  to  consider  quadratic  fields  as  follows. 
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Definition  5.1.2.  An  integer  D  is  called  a  fundamental  discriminant  if  D 
is  the  discriminant  of  a  quadratic  field  K.  In  other  words,  D  1  and  either 
D  =  1  (mod  4)  and  is  squarefree,  or  D  =  0  (mod  4),  D/4  is  squarefree  and 
Df 4  =  2  or  3  (mod  4). 


If  K  is  a  quadratic  field  of  discriminant  D,  we  will  use  the  following  as 
standard  notations:  K  =  Q(y/D),  where  D  is  a  fundamental  discriminant. 
Hence  D  =  d(K),  and  an  integral  basis  of  K  is  given  by  (l,u>),  where 

D  +  y/D 
W  ”  2 

and  therefore  Z k  =  Z[u;]. 


Proposition  5.1.3.  If  K  is  a  quadratic  field  of  discriminant  D,  then  every 
order  R  of  K  has  discriminant  Df 2  where  f  is  a  positive  integer  called  the 
conductor  of  the  order.  Conversely,  if  A  is  any  non-square  integer  such  that 
A  =  0  or  1  (mod  4),  then  A  is  uniquely  of  the  form  A  =  Df 2  where  D  is  a 
fundamental  discriminant,  and  there  exists  a  unique  order  R  of  discriminant 
A  (and  R  is  an  order  of  the  quadratic  field  Q(y/D)). 

Again  this  is  very  easy  and  left  to  the  reader. 

A  consequence  of  this  is  that  it  is  quite  natural  to  consider  quadratic 
fields  together  with  their  orders,  since  their  discriminants  form  a  sequence 
which  is  almost  a  union  of  two  arithmetic  progressions.  It  is  however  neces¬ 
sary  to  separate  the  positive  from  the  negative  discriminants,  and  for  positive 
discriminants  we  should  add  the  squares  to  make  everything  uniform.  This 
corresponds  to  considering  the  sub-orders  of  the  etale  algebra  <Q>  x  Q  (which  is 
not  a  field)  as  well.  We  will  see  applications  of  these  ideas  later  in  this  chapter. 

To  end  this  section,  note  that  Theorem  4.8.13  immediately  shows  how 
prime  numbers  decompose  in  a  quadratic  field: 

Proposition  5.1.4.  Let  K  =  Q(\/D)  where  as  usual  D  =  d(K),  1>k=  Z[w] 
where  u)  =  (D  +  y/D)/2  its  ring  of  integers,  and  let  p  be  a  prime  number. 
Then 

(1)  If  p  |  D,  i.e.  if  (^)  =  0,  then  p  is  ramified,  and  we  have  p%K  =  P2>  where 

p  =  pTjk  +  u;Zx 

except  when  p  =  2  and  D  =  12  (mod  16).  In  this  case,  p  =  p1>K  +  (1  + 
o;)Zk-. 

(2)  If  (^)  =  —1,  then  p  is  inert,  hence  p  =  pZ^  is  a  prime  ideal. 

(3)  If  (^)  =  1,  then  p  is  split,  and  we  have  pZx  =  P1P2,  where 

Z k  and  p2  =  pZx  +  (uj  —  — 'jz k  , 

and  b  is  any  solution  to  the  congruence  b2  =  D  (mod  4 p). 


pi  =  pZk  +  [w  — 
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Recall  that  in  Section  1.5  we  gave  an  efficient  algorithm  to  compute  square 
roots  modulo  p.  To  obtain  the  number  6  occurring  in  (3)  above,  it  is  only 
necessary,  when  p  is  an  odd  prime  and  the  square  root  obtained  is  not  of  the 
same  parity  as  D ,  to  add  p  to  it.  When  p  =  2,  one  can  always  take  6  =  1  since 
D  =  1  (mod  8). 


5.2  Ideals  and  Quadratic  Forms 

Let  D  be  a  non-square  integer  congruent  to  0  or  1  modulo  4,  R  the  unique 
quadratic  order  of  discriminant  D,  (l,u;)  the  standard  basis  of  R  (i.e.  with 
u>  =  (D  +  y/D)/ 2)  and  K  be  the  unique  quadratic  field  containing  R  (i.e.  the 
quotient  field  of  R).  We  denote  by  a  real  or  complex  conjugation  in  K,  i.e.  the 
Q-linear  map  sending  \JD  to  —\/D.  From  the  general  theory,  we  have: 

Proposition  5.2.1.  Any  integral  ideal  a  of  R  has  a  unique  Hermite  normal 
form  with  denominator  equal  to  1,  and  with  matrix 

a  b 
0  c 

with  respect  to  u),  where  c  divides  a  and  b  and  0  <  6  <  a.  In  other  words, 
a  =  aZ  +  (6  4-  cut) Z.  Furthermore,  a  =  £(a )  is  the  smallest  positive  integer  in 
a  and  Af( a)  =  ac. 

Definition  5.2.2.  We  will  say  that  an  integral  ideal  a  of  R  is  primitive  if 
c  =  1,  in  other  words  ifa/n  is  not  an  integral  ideal  of  R  for  any  integer  n  >  1. 


We  also  need  some  definitions  about  binary  quadratic  forms. 


Definition  5.2.3.  A  binary  quadratic  form  f  is  a  function  f(x,y)  =  ax 2  + 
bxy  +  cy2  where  a,  b  and  c  are  integers,  which  is  denoted  more  briefly  by 
(a,  6,c).  We  say  that  f  is  primitive  */gcd(a,  6,  c)  =  1.  If  f  and  g  are  two 
quadratic  forms,  we  say  that  f  and  g  are  equivalent  if  there  exists  a  matrix 

(7  <5^  €  SL2(Z)  (i.e.  an  integral  matrix  of  determinant  equal  to  1),  such 

that  g(x,  y)  =  f{ax  +  f3y ,  7a;  +  6y). 


It  is  clear  that  equivalence  preserves  the  discriminant  D  =  b2  —  4ac  of  the 
quadratic  form  (in  fact  it  would  also  be  preserved  by  matrices  of  determinant 
equal  to  —1  but  as  will  be  seen,  the  use  of  these  matrices  would  lead  to 
the  wrong  notion  of  equivalence).  One  can  also  easily  check  that  equivalence 
preserves  primitivity.  It  is  also  clear  that  if  D  is  a  fundamental  discriminant, 
then  any  quadratic  form  of  discriminant  D  =  b2  —  4ac  is  primitive. 
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Note  that  the  action  of  A  €  SL2(Z)  is  the  same  as  the  action  of  —A, 
hence  the  natural  group  which  acts  on  quadratic  forms  (as  well  as  on  complex 
numbers  by  linear  fractional  transformations)  is  the  group  PSL^Z)  where 
we  identify  7  and  —  7.  By  abuse  of  notation,  we  will  consider  an  element  of 
PSI/2(Z)  as  a  matrix  instead  of  an  equivalence  class  of  matrices. 

We  will  now  explain  why  computing  on  ideals  and  on  binary  quadratic 
forms  is  essentially  the  same.  Since  certain  algorithms  are  more  efficient  in 
the  context  of  quadratic  forms,  it  is  important  to  study  this  in  detail. 

As  above  let  D  be  a  non-square  integer  congruent  to  0  or  1  modulo  4  and 
R  be  the  unique  order  of  discriminant  D.  We  consider  the  following  quotient 
sets. 

F  =  {(a,  6,  c),  b2  —  4 ac  =  D}/ 


where  i'oo 


1  m 
0  1 


,  m  €  Z 


is  a  multiplicative  group  (isomorphic  to 


the  additive  group  of  Z)  which  acts  on  binary  quadratic  forms  by  the  formula 


1  m 
0  1 


•  (a,  b,  c )  =  (a,  b  +  2 am,  c  +  bm  +  am2) 


which  is  induced  by  the  action  of  SL2(Z). 
The  second  set  is 


I  =  {a  fractional  ideal  of  .R}/Q* 

where  Q*  is  understood  to  act  multiplicatively  on  fractional  ideals. 

The  third  set  is 

Q  =  |r  =  — a  >  0  and  4a  |  (D  —  b2) |  /Z , 

where  Z  is  understood  to  act  additively  on  quadratic  numbers  r.  We  also 
define  maps  as  follows.  If  (a,  6,  c)  is  a  quadratic  form,  we  set 

<f>Fi{a,  6,c)  =  [  aZ-| - ^ Z,  sign(a)). 


If  a  is  a  fractional  ideal  and  s  =  ±1,  choose  a  Z-basis  (wi,  ^2)  of  a  with  wi  6  Q 
and  —  uji<j{uJ2)) I 'f  D  >  0  (this  is  possible  by  Proposition  5.2.1),  and 

set 

N(xu>i  -  syu)2 ) 

Ma,s)  =  s - W) - . 

If  a  is  a  fractional  ideal,  choose  a  Z  basis  (uq,  UJ2)  a-s  above,  and  set 

4>iq{o)  =  —  . 

k’l 
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Finally,  if  r  =  (—6  +  \fD)/(2a)  is  a  quadratic  number,  set 

<t>Qi{T)  =  a(Z  +  rZ). 

The  following  theorem,  while  completely  elementary,  is  fundamental  to 
understanding  the  relationships  between  quadratic  forms,  ideals  and  quadratic 
numbers.  We  always  identify  the  group  Z/2Z  with  ±1. 

Theorem  5.2.4.  With  the  above  notations,  the  maps  that  we  have  given  can 
be  defined  at  the  level  of  the  equivalence  classes  defining  F,  I  and  Q,  and  are 
then  set  isomorphisms  (which  we  denote  in  the  same  way).  In  other  words, 
we  have  the  following  isomorphisms: 

F  ~  I  x  Z/2Z,  I  —  Q,  F~Qx  Z/2Z. 


Proof.  The  proof  is  a  simple  but  tedious  verification  that  everything  works. 

We  comment  only  on  the  parts  which  are  not  entirely  trivial. 

(1)  (j>pi  sends  a  quadratic  form  to  an  ideal.  Indeed,  if  a  and  b  are  integers 
with  b  =  D  (mod  2),  the  Z-module  aZ  +  ((— 6  +  VD)f 2)Z  is  an  ideal  if 
and  only  if  4a  |  (b2  -  D). 

(2)  <t>pi  depends  only  on  the  equivalence  class  modulo  Too  hence  induces  a 
map  from  F  to  I. 

(3)  (j)jF  sends  a  pair  (a,  s)  to  an  integral  quadratic  form.  Indeed,  by  homo¬ 
geneity,  if  we  multiply  a  by  a  suitable  element  of  Q,  we  may  assume  that 
a  is  a  primitive  integral  ideal.  If  uq  <  0,  we  can  also  change  (uq,u>2) 
into  (—  uq,— uq).  In  that  case,  by  Proposition  5.2.1  (or  directly),  we  have 
Af(a)  =  uq  and  uq  —  <r(uq)  =>/D.  Finally,  since  a  is  an  integral  ideal, 
uq  |  uqcr(uq),  and  a  simple  calculation  shows  that  we  obtain  an  integral 
binary  quadratic  form  of  discriminant  D. 

(4)  <f>j p  does  not  depend  on  the  equivalence  class  of  a,  nor  on  the  choice  of 
uq  and  UJ2-  Indeed,  if  uq  is  given,  then  uq  is  defined  modulo  uq,  and  this 
corresponds  precisely  to  the  action  of  Too  on  quadratic  forms. 

(5)  4>if  and  <f>pi  are  inverse  maps.  This  is  left  to  the  reader,  and  is  the  only 
place  where  we  must  really  use  the  sign(a)  component. 

(6)  I  also  leave  to  the  reader  the  easy  proof  that  <f>iQ  and  (j>Qj  are  well  defined 
and  are  inverse  maps. 


□ 

We  now  need  to  identify  precisely  the  invertible  ideals  in  R  so  as  to  be 
able  to  work  in  the  class  group. 

Proposition  5.2.5.  Let  a  =  aZ  +  ((—6  +  \/D)/ 2)Z  be  an  ideal  of  R,  and  let 
(a,  b ,  c)  be  the  corresponding  quadratic  form.  Then  a  is  invertible  in  R  if  and 
only  if(a,b,c)  is  primitive.  In  that  case,  we  have  a-1  =  Z  +  ((b  +  y/D)/(2a))Z. 
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Proof.  From  Lemma  4.6.7  we  know  that  a  is  invertible  if  and  only  if  ab  =  R 
where  b  =  {z  e  K,  za  C  R}.  Writing  a  =  aZ+((—  b+y/D)/2)Z,  from  a  £  a  we 
see  that  such  a  z  must  be  the  form  z  =  ( x+y\fD ) /(2a)  with  x  and  y  in  Z  such 
that  x  =  yD  (mod  2).  From  (—  b  +  VD)/ 2  €  a,  we  obtain  the  congruences 
bx  =  Dy  (mod  2a),  x  =  by  (mod  2a)  and  ( Dy  —  bx)/(2a )  =  D(x  —  by) /(2a) 
(mod  2).  An  immediate  calculation  gives  us  b  =  Z  +  ((b  +  \fD)/(2a))Z  as 
claimed. 

Now  the  Z-module  ab  is  generated  by  the  four  products  of  the  generators, 
i.e.  by  a,  (b  +  VD)/ 2,  (—b  +  VD)/ 2  and  — c.  We  obtain  immediately 

ab  =  gcd(a,  b,  c)Z  +  ~b\^  Z 

hence  this  is  equal  to  R  =  Z  +  ((-6  +  y/~D) /2)Z  if  and  only  if  gcd(a,  b,  c)  =  1, 
thus  proving  the  proposition.  □ 

Corollary  5.2.6.  Denote  by  Fq  the  subset  of  classes  of  primitive  forms  in  F, 
Io  the  subset  of  classes  of  invertible  ideals  in  I  and  Qq  the  subset  of  classes 
of  primitive  quadratic  numbers  in  Q  ( where  r  e  Q  is  said  to  be  primitive  if 
( a,b,c )  =  1  where  a,  b  and  c  are  as  in  the  definition  of  Q).  Then  the  maps 
(f>Fi  and  4>iq  also  give  isomorphisms: 

Fo  ~  I0  x  Z/2Z ,  70  -  Qo ,  Fo  ~  Qo  X  Z/2Z  . 


Theorem  5.2.4  gives  set  isomorphisms  between  ideals  and  quadratic  forms 
at  the  level  of  equivalence  classes  of  quadratic  forms  modulo  Too.  As  we  shall 
see,  this  will  be  useful  in  the  real  quadratic  case.  When  considering  the  class 
group  however,  we  need  the  corresponding  theorem  at  the  level  of  equivalence 
classes  of  quadratic  forms  modulo  the  action  of  the  whole  group  PSL2(Z). 
Since  we  must  restrict  to  invertible  ideals  in  order  to  define  the  class  group,  the 
above  proposition  shows  that  we  will  have  to  consider  only  primitive  quadratic 
forms. 

Here,  it  is  slightly  simpler  to  separate  the  case  D  <  0  from  the  case  D  >  0. 
We  begin  by  defining  the  sets  with  which  we  will  work. 

Definition  5.2.7.  Let  D  be  a  non-square  integer  congruent  to  0  or  1  modulo 
4,  and  R  the  unique  quadratic  order  of  discriminant  D. 

(1)  We  will  denote  by  F(D)  the  set  of  equivalence  classes  of  primitive 
quadratic  forms  of  discriminant  D  modulo  the  action  of  PSL2(Z),  and 
in  the  case  D  <  0,  F+(D)  will  denote  those  elements  of  F(D)  represented 
by  a  positive  definite  quadratic  form  (i.e.  a  form  (a,  6,  c)  with  a  >  0). 

(2)  We  will  denote  by  Cl(D)  the  class  group  of  R,  and  in  the  case  D  >  0, 
Cl+(D)  will  denote  the  narrow  class  group  of  R,  i.e.  the  group  of  equiva¬ 
lence  classes  of  R-ideals  modulo  the  group  V+  of  principal  ideals  generated 
by  an  element  of  positive  norm. 

(3)  Finally,  we  will  set  h(D)  =  \Cl(D)\  and  h+(D)  =  \Cl+(D)\. 
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We  then  have  the  following  theorems. 

Theorem  5.2.8.  Let  D  be  a  negative  integer  congruent  to  0  or  1  modulo  4- 
The  maps 

‘ipFiia,  b,  c)  =  a Z  H —  +  ^ — Z , 

Z 


M(xui  -  yw2) 


M(a) 


wtiere  a  =  u)i£>  +  witn 


U)2<y{<j0\)  —  tdicr(u)2) 


induce  inverse  bijections  from  !F+(D)  to  Cl(D), 

Theorem  5.2.9.  Let  D  be  a  non-square  positive  integer  congruent  to  0  or  1 
modulo  4 ■  The  maps 

rl>Fi(a,b,c)  =  ^aZ+  a, 

where  a  is  any  element  of  K*  such  that  sign(A/’(o:))  =  sign(a),  and 

M{xuJi-yu)2) 


if{q ■) 


Af(a) 


where  a  =  wi  Z  4-  wo%  with 


u)2(J{u)i)  —  W\a{uj2) 


induce  inverse  bijections  from  Jr( D )  to  Cl+(D). 


Proof.  As  for  Theorem  5.2.4,  the  proofs  consist  of  a  series  of  simple  verifica¬ 
tions. 

(1)  The  map  xppi  is  well  defined  on  classes  modulo  PSL2(Z).  If  y  )  e 

PSL/2(Z)  acts  on  (a,  6,  c),  then  the  quantity  r  =  (—6  +  \fD)/(2a)  becomes 
r'  =  (VY  —  B)/(—Ut  +  A),  and  a  becomes  aftf(—UT  +  A),  hence  since 
Z  +  r'Z  =  (Z  +  rZ)/(—  Ut  +  A),  it  follows  immediately  that  ipFi  is  well 
defined. 

(2)  Similarly,  ipip  is  well  defined,  and  we  can  check  that  it  gives  an  integral 
quadratic  form  of  discriminant  D  as  for  the  map  0/f  of  Theorem  5.2.4. 
This  form  is  primitive  since  we  restrict  to  invertible  ideals. 

(3)  Finally,  the  same  verification  as  in  the  preceding  theorem  shows  that  ip  if 
and  ip fi  are  inverse  maps. 
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Remarks. 

(1)  Although  we  have  given  the  bijections  between  classes  of  forms  and  ideals, 
we  could,  as  in  Theorem  5.2.4,  give  bijections  with  classes  of  quadratic 
numbers  modulo  the  action  of  PSL/2(Z).  This  is  left  to  the  reader  (Exercise 

3)- 

(2)  In  the  case  D  <  0,  a  quadratic  form  is  either  positive  definite  or  negative 
definite,  hence  the  set  F  breaks  up  naturally  into  two  disjoint  pieces.  The 
map  ip  pi  is  induced  by  the  restriction  of  <Pfi  to  the  positive  piece,  and 
ip  if  is  induced  by  <pip  and  forgetting  the  factor  Z/2Z. 

(3)  In  the  case  D  >  0,  there  is  no  such  natural  breaking  up  of  F.  In  this  case, 
the  maps  <Pfi  and  <Pif  induce  inverse  isomorphisms  between  J~(D)  and 

1{D)  =  (IxZ/2Z)/V, 

where  V  is  the  quotient  of  K*  by  the  subgroup  of  units  of  positive  norm, 
and  p  €  V  acts  by  sending  (a,  s)  to  {pa,  s  •  sign(A/*(/?))).  (Note  also  the 
exact  sequence 

1  — >V+  — ►  V  — ►  Z/2Z  — ►  1, 

where  the  map  to  Z/2Z  is  induced  by  the  sign  of  the  norm  map.)  The  maps 
ip  fi  and  ip  if  are  obtained  by  composition  of  the  above  isomorphisms  with 
the  isomorphisms  between  T{D)  and  Cl+(D)  given  as  follows.  The  class  of 
(a,  s)  representing  an  element  of  1(D)  is  sent  to  the  class  of  Pa  in  Cl+{D), 
where  P  €  K*  is  any  element  such  that  sign(A f{P))  =  s.  Conversely,  the 
class  of  a  6  Cl+(D )  is  sent  to  the  class  of  (a,  1)  in  T{D). 

Although  F,  I  and  Q  are  defined  as  quotient  sets,  it  is  often  useful  to 
use  precise  representatives  of  classes  in  these  sets.  We  have  already  implicitly 
done  so  when  we  defined  all  the  maps  <pip  etc  ...  above,  but  we  make  our 
choice  explicit. 

An  element  of  F  will  be  represented  by  the  unique  element  (a,  6,  c)  in 
its  class  chosen  as  follows.  If  D  <  0,  then  — |a|  <  b  <  |a|.  If  D  >  0,  then 
—  \a\  <b  <|a|  if a>  y/D,  y/D -2\a\  <b<y/D\ia<  y/D. 

An  element  of  I  will  be  represented  by  the  unique  primitive  integral  ideal 
in  its  class. 

An  element  of  Q  will  be  represented  by  the  unique  element  r  in  its  class 
such  that  —1  <  r  +  cr(r)  <  1,  where  a  denotes  (complex  or  real)  conjugation 
in  K. 

The  tasks  that  remain  before  us  are  that  of  computing  the  class  group  or 
class  number,  and  in  the  real  case,  that  of  computing  the  fundamental  unit. 
It  is  now  time  to  separate  the  two  cases,  and  in  the  next  sections  we  shall 
examine  in  detail  the  case  of  imaginary  quadratic  fields. 
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Until  further  notice,  all  fields  which  we  consider  will  be  imaginary  quadratic 
fields.  First,  let  us  solve  the  problem  of  units.  From  the  general  theory,  we 
know  that  the  units  of  an  imaginary  quadratic  field  are  the  (finitely  many) 
roots  of  unity  inside  the  field.  An  easy  exercise  is  to  show  the  following: 

Proposition  5.3.1.  Let  D  <  0  congruent  to  0  or  1  modulo  4-  Then  the  group 
fi(R)  of  units  of  the  unique  quadratic  order  of  discriminant  D  is  equal  to  the 
group  ofw(D)th  roots  of  unity,  where 

(  2,  ifD<-A 
w(D)  =  l  4,  ifD  =  -4 
I  6,  ifD  =  - 3. 


Let  us  now  consider  the  problem  of  computing  the  class  group.  For  this,  the 
correspondences  that  we  have  established  above  between  classes  of  quadratic 
forms  and  ideal  class  groups  will  be  very  useful.  Usually,  the  ideals  will  be  used 
for  conceptual  (as  opposed  to  computational)  proofs,  and  quadratic  forms  will 
be  used  for  practical  computation. 

Thanks  to  Theorem  5.2.8,  we  will  use  interchangeably  the  language  of 
ideal  classes  or  of  classes  of  quadratic  forms.  One  of  the  advantages  is  that 
the  algorithms  are  simpler.  For  example,  we  now  consider  a  simple  but  still 
reasonable  method  for  computing  the  class  number  of  an  imaginary  quadratic 
field. 


5.3.1  Computing  Ulass  Numbers  Using  Reduced  Forms 


Definition  5.3.2.  A  positive  definite  quadratic  form  (a,  b,  c)  of  discriminant 
D  is  said  to  be  reduced  if  |6|  <  a  <  c  and  if,  in  addition,  when  one  of  the  two 
inequalities  is  an  equality  ( i.e .  either  |6|  =  a  or  a  =  c),  then  b  >  0. 


This  definition  is  equivalent  to  saying  that  the  number  r  =  (—  b  +  \/D)/(2a) 
corresponding  to  (a,  6,  c)  as  above  is  in  the  standard  fundamental  domain  V 
of  7Y/PSL2(Z)  (where  H  =  {r  €  C,Im(r)  >  0}),  defined  by 


T>  =  |t  e  H,  Re(-r)  e  [— -,  ^[,  |t|  >  1  or  |r|  =  1  and  Re(r)  <  0 1 . 


The  nice  thing  about  this  notion  is  the  following: 


Proposition  5.3.3.  In  every  class  of  positive  definite  quadratic  forms  of  dis¬ 
criminant  D  <  0  there  exists  exactly  one  reduced  form.  In  particular  h{D)  is 
equal  to  the  number  of  primitive  reduced  forms  of  discriminant  D. 
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An  equivalent  form  of  this  proposition  is  that  the  set  V  defined  above  is 
a  fundamental  domain  for  H /  PSL2(Z). 

Proof.  Among  all  forms  (a,  b,  c)  in  a  given  class,  consider  one  for  which  a  is 
minimal.  Note  that  for  any  such  form  we  have  c>a  since  (a,  b ,  c)  is  equivalent 
to  (c,  —b,  a)  (change  (x,  y)  into  (— y,  x )).  Changing  ( x ,  y)  into  (x  +  ky ,  y)  for  a 
suitable  integer  k  (precisely  for  k  =  [(a  —  b)f(2a)\)  will  not  change  a  and  put 
b  in  the  interval  ]  —  a,  a].  Since  a  is  minimal,  we  will  still  have  a  <  c,  hence  the 
form  that  we  have  obtained  is  essentially  reduced.  If  c  =  a,  changing  (a,  b,  c) 
again  in  (c,  —b,  a)  sets  b  >  0  as  required.  This  shows  that  in  every  class  there 
exists  a  reduced  form. 

Let  us  show  the  converse.  If  (a,  6,  c)  is  reduced,  I  claim  that  a  is  minimal 
among  all  the  forms  equivalent  to  (a,  b,  c).  Indeed,  every  other  a'  has  the  form 
a'  =  am2  +  bmn  +  cn2  with  m  and  n  coprime  integers,  and  the  identities 

o  .  2  2  ( .  b  n  "\  2  2  2  ( -.  b  m 

am  +  bmn  +  cn  =  am  1-1 - 1  +  cn  =  am  -1-  cn  I  1  H - 

\  am/  \  c n 

immediately  imply  our  claim,  since  |6|  <  a  <  c.  Now  in  fact  these  same 
identities  show  that  the  only  forms  equivalent  to  (a,  b,  c)  with  a'  =  a  are 
obtained  by  changing  ( x,y )  into  (x  4-  ky,y)  (corresponding  to  m  =  1  and 
n  =  0) ,  and  this  finishes  the  proof  of  the  proposition.  □ 

We  also  have  the  following  lemma. 

Lemma  5.3.4.  Let  f  =  (a,  6,  c)  be  a  positive  definite  binary  quadratic  form 
of  discriminant  D  =  b2  —  4 ac  <  0. 

(1)  If  f  is  reduced,  we  have  the  inequality 

a  <  y/\D\/3  . 


(2)  Conversely,  if 


a  <  \/\D\/4  and  —  a  <  b  <  a 


then  f  is  reduced. 


Proof.  For  (1)  we  note  that  if  /  is  reduced  then  \D\  =  4 ac—b2  >  4 a2  —a2  hence 
a  <  y/\D\/Z.  For  (2),  we  have  c  =  (b2  +  |L>|)/(4a)  >  |D|/(4a)  >  a2/a  =  a , 
therefore  /  is  reduced.  □ 

As  a  consequence,  we  deduce  that  when  D  <  0  the  class  number  h(D) 
of  Q(a/0)  can  be  obtained  simply  by  counting  reduced  forms  of  discriminant 
D  (since  in  that  case  all  forms  of  discriminant  D  are  primitive),  using  the 
inequalities  |6|  <  a  <  y/\D\/3.  This  leads  to  the  following  algorithm. 
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Algorithm  5.3.5  ( h(D )  Counting  Reduced  Forms).  Given  a  negative  dis¬ 
criminant  D,  this  algorithm  outputs  the  class  number  of  quadratic  forms  of  dis¬ 
criminant  D,  i.e.  h(D )  when  D  is  a  fundamental  discriminant. 


1. 

2. 

3. 

4. 

5. 


[Initialize  b]  Set  h  <—  1,  b  D  mod  2  (i.e.  0  if  D  =  0  (mod  4),  1  if  D  =  1 
(mod  4)),  B  <-  y/\D\/3  . 

[Initialize  a]  Set  q  <—  (b2  —  D)/ 4,  a  <—  b,  and  if  a  <  1  set  a  <—  1  and  go  to 
step  4. 

[Test]  If  a  |  q  then  if  a  =  b  or  a2  =  q  or  b  =  0  set  h  <—  h  +  1,  otherwise  (still 
in  the  case  a  \  q)  set  h  <—  h  +  2. 

[Loop  on  a]  Set  a  <—  a  +  1.  If  a2  <  q  go  to  step  3. 

[Loop  on  b]  Set  b  <—  b  +  2.  If  6  <  B  go  to  step  2,  otherwise  output  h  and 
terminate  the  algorithm. 


It  can  easily  be  shown  that  this  algorithm  indeed  counts  reduced  forms. 
One  must  be  careful  in  the  formulation  of  this  algorithm  since  the  extra  bound¬ 
ary  conditions  which  occur  if  |6|  =  a  or  a  =  c  complicate  things.  It  is  also  easy 
to  give  some  cosmetic  improvements  to  the  above  algorithm,  but  these  have 
little  effect  on  its  efficiency. 

The  running  time  of  this  algorithm  is  clearly  0(\D\),  but  the  O  constant 
is  very  small  since  very  few  computations  are  involved.  Hence  it  is  quite  a 
reasonable  algorithm  to  use  for  discriminants  up  to  a  few  million  in  absolute 
value.  The  typical  running  time  for  a  discriminant  of  the  order  of  106  is  at 
most  a  few  seconds  on  modern  microcomputers. 


Remark.  If  we  want  to  compute  h(D )  for  a  non-fundamental  discriminant 
D,  we  must  only  count  primitive  forms.  Therefore  the  above  algorithm  must 
be  modified  by  replacing  the  condition  “if  a  \  q ”  of  Step  3  by  “if  a  \  q  and 
gcd(a,  b,qfa)  =  1”. 

A  better  method  is  as  follows.  Write  D  =  Do  f 2  where  Do  is  a  fundamental 
discriminant.  The  general  theory  seen  in  Chapter  4  tells  us  that  h(D)  is  a 
multiple  of  h(Do),  but  in  fact  Proposition  5.3.12  implies  the  following  precise 
formula: 

h(D)  h(D„)rTf(^  (ffi 
«;(D)  w(D0)J  p 

Hence,  we  compute  h(Do)  using  the  above  algorithm,  and  deduce  h(D)  from 
this  formula. 

Reduced  forms  are  also  very  useful  for  making  tables  of  class  numbers  of 
quadratic  fields  or  forms  up  to  a  certain  discriminant  bound.  Although  each 
individual  computation  takes  time  0(|£>|),  hence  for  \D\  <  M  the  time  would 
be  0(M2),  it  is  easy  to  see  that  a  simultaneous  computation  (needing  of  course 
0(M )  memory  locations  to  hold  the  class  numbers)  takes  only  0(M3^2),  hence 
an  average  of  0(|D|1//2)  per  class  number. 
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Since  class  numbers  of  imaginary  quadratic  fields  occur  so  frequently,  it  is 
useful  to  have  a  small  table  available.  Such  a  table  can  be  found  in  Appendix 
B.  Some  selected  values  are: 

•  Class  number  1  occurs  only  for  D  =  —3,  —4,  —7,  —8,  —11,  —19,  —43, 
—67  and  —163. 

•  Class  number  2  occurs  only  for  D  =  —15,  —20,  —24,  —35,  —40,  —51, 
-52,  -88,  -91,  -115,  -123,  -148,  -187,  -232,  -235,  -267,  -403,  -427. 

•  Class  number  3  occurs  only  for  D  =  —23,  —31,  —59,  —83,  —107,  —139, 
-211,  -283,  -307,  -331,  -379,  -499,  -547,  -643,  -883,  -907. 

•  Class  number  4  occurs  for  D  =  —39,  —55,  —56,  —68,  . . .  ,  —1555. 

•  Class  number  5  occurs  for  D  =  —47,  —79,  —103,  —127,  . . .  ,  —2683. 

•  Class  number  6  occurs  for  D  =  —87,  —104,  —116,  —152,  . . .  ,  —3763. 

•  Class  number  7  occurs  for  D  =  —71,  —151,  —223,  —251,  . . .  ,  —5923. 

etc  . . . 

Note  that  the  first  two  statements  concerning  class  numbers  1  and  2  are 
very  difficult  theorems  proved  in  1952  by  Heegner  and  in  1968-1970  by  Stark 
and  Baker  (see  [Cox]).  The  general  problem  of  determining  all  imaginary 
quadratic  fields  with  a  given  class  number  has  been  solved  in  principle  by 
Goldfeld-Gross-Zagier  ([Gol],  [Gro-Zag2]),  but  the  explicit  computations  have 
been  carried  to  the  end  only  for  class  numbers  up  to  7  and  all  odd  numbers 
up  to  23  (see  [ARW] ,  [Wag]). 

The  method  using  reduced  forms  is  a  very  simple  method  to  implement 
and  is  eminently  suitable  for  computing  tables  of  class  numbers  or  for  com¬ 
puting  class  numbers  of  reasonable  discriminant,  say  less  than  a  few  million  in 
absolute  value.  Since  it  is  only  a  simple  counting  process,  it  does  not  give  the 
structure  of  the  class  group.  Also,  it  becomes  too  slow  for  larger  discriminants, 
therefore  we  must  find  better  methods. 


5.3.2  Computing  Class  Numbers  Using  Modular  Forms 

I  do  not  intend  to  explain  why  the  theory  of  modular  forms  (specifically  of 
weight  3/2  and  weight  2)  is  closely  related  to  class  numbers  of  imaginary 
quadratic  fields,  but  I  would  like  to  mention  formulas  which  enable  us  to  com¬ 
pute  tables  of  class  numbers  essentially  as  fast  as  the  method  using  reduced 
forms.  First  we  need  a  definition. 

Definition  5.3.6.  Let  N  be  a  non-negative  integer.  The  Hurwitz  class  number 
H ( N )  is  defined  as  follows. 

(1)  If  N  =  1  or  2  (mod  4)  then  H(N)  =  0. 

(2)  If  N=0  then  H(N)=  —1/12. 

(3)  Otherwise  (i.e.  if  N  =  0  or  3  (mod  4)  and  N  >0)  we  define  H(N)  as 
the  class  number  of  not  necessarily  primitive  (positive  definite)  quadratic 
forms  of  discriminant  —N,  except  that  forms  equivalent  to  a{x 2  +  y2) 
should  be  counted  with  coefficient  1/2,  and  those  equivalent  to  a(x2-\-xy-\- 
y 2)  with  coefficient  1/3. 
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Let  us  denote  by  h{D )  the  class  number  of  primitive  positive  definite 
quadratic  forms  of  discriminant  D.  (This  agrees  with  the  preceding  definition 
when  D  is  a  fundamental  discriminant  since  in  that  case  every  form  is  primi¬ 
tive.)  Next,  we  define  h(D )  =  0  when  D  is  not  congruent  to  0  or  1  modulo  4. 
Then  we  have  the  following  lemma. 


Lemma  5.3.7.  Let  w(D)  be  the  number  of  roots  of  unity  in  the  quadratic 
order  of  discriminant  D,  hence  w(— 3)  =  6,  w(— 4)  =  4  and  w(D)  =  2  for 
D  <  —4,  and  set  h'{D )  —  h(D)/(w(D)/ 2)  (hence  h'{D )  =  h(D)  for  D  <  —A). 
Then  for  N  >  0  we  have 


(i) 


H(N)  =  £  h'(-N/d2) 

d2\N 


and  in  particular  if  —N  is  a  fundamental  discriminant,  we  have  H(N)  — 
h(—N)  except  in  the  special  cases  N  —  3  (H{ 3)  =  1/3  and  h(— 3)  =  1) 
and  N  —  4  (H( 4)  =  1/2  and  h(— 4)  =  1/. 

(2)  Conversely,  we  have 


h'(~N)  =  E  »(d)H(N/d2) 

d2\N 

where  fi(d)  is  the  Mobius  function  defined  by  p(d)  —  (— l)fc  if  d  is  equal  to 
a  product  of  k  distinct  primes  (including  k  =  0),  and  p(d)  =  0  otherwise. 

Proof.  The  first  formula  follows  immediately  from  the  definition  of  H(N).  The 
second  formula  is  a  direct  consequence  of  the  Mobius  inversion  formula  (see 
[H-W]).  □ 

From  this  lemma,  it  follows  that  the  computation  of  a  table  of  the  function 
H(N )  is  essentially  equivalent  to  the  computation  of  a  table  of  the  function 
h(D). 

For  D  —  —N,  Algorithm  5.3.5  computes  a  quantity  similar  to  H(N )  but 
without  the  denominator  w(—N/d2)/ 2  in  the  formula  given  above.  Hence,  it 
can  be  readily  adapted  to  compute  H(N)  itself  by  replacing  step  3  with  the 
following: 

3’.  [Test]  If  a  \  q  go  to  step  4.  Now  if  a  =  b  then  if  ab  =  q  set  h  <—  h  +  1/3 
otherwise  set  h  <—  h  +  1  and  go  to  step  4.  If  a2  =  q,  then  if  b  =  0  set 
h  <—  h  +  1/2,  otherwise  set  h  *—  h  +  1.  In  all  other  cases  (i.e.  if  a  b  and 
7^  <l)  set  h  <—  h  +  2. 

The  theory  of  modular  forms  of  weight  3/2  tells  us  that  the  Fourier  series 

OO 

H(N)e2inNr 

AT= 0 
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has  a  special  behavior  when  one  changes  r  by  a  linear  fractional  transformation 
r  i — ►  in  PSL2(Z).  Combined  with  other  results,  this  gives  many  nice 

recursion  formulas  for  H(N)  which  are  very  useful  for  practical  computation. 
Let  er(n)  =  Yd\n  ^  the  sum  divisors  function,  and  define 


X{n)  =]-'^2mm(d,n/d)  =  Y'  d, 


d\n 


d\n,d<y/n 


where  Y'  means  that  if  the  term  d  =  y/n  is  present  it  should  have  coefficient 
1/2.  In  addition  we  define  cr(n)  =  A (n)  =  0  if  n  is  not  integral.  Then  (see 
[Eic2] ,  [Zagl]): 


Theorem  5.3.8  (Hurwitz,  Eichler).  We  have  the  following  relations,  where 
it  is  understood  that  the  summation  variable  s  takes  positive ,  zero  or  negative 
values: 

Y  H(£N  —  s2)  =  2a(N)  —  2X(N), 

s2<4N 

and  if  N  is  odd, 

E  H(N-s^)  =  ^l-\(N). 

s2 <N ,s=(N  +1) /2  (mod  2) 


Prom  a  computational  point  of  view,  the  second  formula  is  better.  It  is 
used  in  the  following  way: 

Corollary  5.3.9.  If  N  =  3  (mod  4),  then 

H(N)  =  ^p--\(N)-2  £  H(N  —  4s2), 

1  <S<y/Njl 

and  if  N  =  0(mod  4),  then 

H(N)=^ J2  H(N-is(s  +  l)). 

1<s<(VN+1-1)/2 


This  corollary  allows  us  to  compute  a  table  of  class  numbers  up  to  any 
given  bound  M  in  time  0(M3/2),  hence  is  comparable  to  the  method  using  re¬ 
duced  forms.  It  is  slightly  simpler  to  implement,  but  has  the  disadvantage  that 
individual  class  numbers  cannot  be  computed  without  knowing  the  preceding 
ones.  It  has  an  advantage,  however,  in  that  the  computation  of  a  block  of 
class  numbers  can  be  done  simply  using  the  table  of  the  lower  ones,  while  this 
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cannot  be  done  with  the  reduced  forms  technique,  at  least  without  wasting  a 
lot  of  time. 

Remark.  The  above  theorem  is  similar  to  Theorem  4.9.14  and  can  be  proved 
similarly.  While  Ck(~  1)  is  closely  linked  to  r5(D)  when  D  >  0,  Cic(0)  (or 
essentially  h(D ))  is  closely  linked  to  r^(—D)  when  D  <  0.  More  precisely  we 
have  (see  [Coh2]): 

Proposition  5.3.10.  Let  D  <  —4  be  the  discriminant  of  an  imaginary 
quadratic  field  K.  Then  the  number  r3 ( | | )  of  representations  of  \D\  as  a 
sum  of  3  squares  of  elements  of  Z  ( counting  representations  with  a  different 
ordering  as  distinct)  is  given  by 

r3(|D|)  =  -24  (l  -  (f))cK(0)  =  12  (l  - 

(This  formula  must  be  slightly  modified  if  D  is  not  the  discriminant  of  an 
imaginary  quadratic  field,  see  [Coh2j.) 


5.3.3  Computing  Class  Numbers  Using  Analytic  Formulas 

It  would  carry  us  too  far  afield  to  enter  into  the  details  of  the  analytic  theory 
of  L-functions,  hence  we  just  recall  a  few  definitions  and  results. 


Proposition  5.3.11  (Dirichlet).  Let  D  be  a  negative  discriminant  (not  nec¬ 
essarily  fundamental),  and  define 


This  series  converges  for  Re(s)  >  1,  and  defines  an  analytic  function  which 
can  be  analytically  continued  to  the  whole  complex  plane  to  an  entire  function. 
If  in  addition  D  is  a  fundamental  discriminant,  this  function  satisfies  the 
functional  equation 


where  we  have  set 


A  d(s) 


Ad(1  —  s)  =  A  d{s), 


D_ 

7 T 


(«+ 1)/2 

r 


5+1 

2 


Ld(s). 


The  link  with  class  numbers  is  the  following  result  also  due  to  Dirichlet: 


Proposition  5.3.12. 

mental),  then 


If  D  is  a  negative  discriminant  (not  necessarily  funda- 


Ld(  1)  = 


2-irh(D) 

™(D)VW\ 


and  in  particular  Ld(  1)  =  7rh(D)/y/\D\  if  D  <  —4. 
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Note  that  these  results  are  special  cases  of  Theorem  4.9.12  since  it  imme¬ 
diately  follows  from  Proposition  5.1.4  that  if  K  =  Q(\/T)),  then 


C  k(s)  =  C  (s)Ld(s). 


The  series  Ld{  1)  is  only  conditionally  convergent,  hence  it  is  not  very 
reasonable  to  compute  Ld{  1)  directly  using  Dirichlet’s  theorem.  A  suitable 
transformation  of  the  series  however  gives  the  following: 


tjorollary  5.3.13.  If  D  <  —4  is  a  fundamental  discriminant,  then 


£  i°) 

l<r<|D|  V  ' 


l<r<|£>|/2 


This  formula  is  aesthetically  very  pleasing,  and  it  can  be  transformed  into 
even  simpler  expressions.  It  is  unfortunately  totally  useless  from  a  compu¬ 
tational  point  of  view  since  one  must  compute  D  terms  each  involving  the 
computation  (admittedly  rather  short)  of  a  Kronecker  symbol.  Hence,  the 
execution  time  would  be  0(|D|1+e),  worse  than  the  preceding  methods. 

A  considerable  improvement  can  be  obtained  if  we  also  use  the  functional 
equation.  This  leads  to  a  formula  which  is  less  pleasing,  but  which  is  much 
more  efficient: 


Proposition  5.3.14.  Let  D  <  —4  be  a  fundamental  discriminant.  Then 


_l_  V\D\  c—nn2/\P\ 
7T  n 


? 


where 


is  the  complementary  error  function. 

Note  that  the  function  erfc(x)  can  be  computed  efficiently  using  the  fol¬ 
lowing  formulas. 

Proposition  5.3.15. 

(1)  We  have  for  all  x 


erfc(x)  =  1 


2k+l 


*>o  «(2*  +  l)’ 

and  this  should  be  used  when  x  is  small,  say  x  <  2. 
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(2)  We  have  for  all  x  >  0 


/ 


\ 


erfc(x)  = 


,-x 


1  - 


1/2 


2+X  — 


1  ■  3/2 


4  +  X 


2-5/2 


\ 


6  +  X-  / 


where  X  =  x2  —  1/2,  and  this  should  be  used  for  x  large ,  say  x  >  2. 


Implementation  Remark.  When  implementing  these  formulas  it  is  easy  to 
make  a  mistake  in  the  computation  of  erfc(:c),  and  tables  of  this  function  are 
not  always  at  hand.  One  good  check  is  of  course  that  the  value  found  for  h(D) 
must  be  close  to  an  integer,  and  for  small  D  equal  to  the  values  found  by 
the  slower  methods.  Another  check  is  that,  although  we  have  given  the  most 
rapidly  convergent  series  for  h(D)  which  can  be  obtained  from  the  functional 
equation,  we  can  get  a  one  parameter  family  of  formulas: 

h{D)  =  E  (£)(eKn\/5)  + 

The  sum  of  the  series  must  be  independent  of  A  >  0. 

The  above  results  show  that  the  series  given  in  Proposition  5.3.14  for 
h(D)  converges  exponentially,  and  since  h(D)  is  an  integer  it  is  clear  that 
the  computation  time  of  h(D)  by  this  method  is  0(|D|1/,2+e)  for  any  e  >  0, 
however  with  a  large  O  constant.  In  fact  it  is  not  difficult  to  show  the  following 
precise  result: 

Corollary  5.3.16.  With  the  same  notations  as  in  Proposition  5.3.14,  h(D ) 
is  the  closest  integer  to  the  n-th  partial  sum  of  the  series  of  Proposition  5.3.14 
for  h(D),  where  n  =  |y|D|  In  |£|/(27t)  . 

Hence,  we  see  that  this  method  is  considerably  faster  than  the  two  pre¬ 
ceding  methods,  at  least  for  sufficiently  large  discriminants.  In  addition,  it 
is  possible  to  avoid  completely  the  computation  of  the  higher  transcendental 
function  erfc,  and  this  makes  the  method  even  more  attractive  (See  Exercise 
28). 

It  is  reasonable  to  compute  class  numbers  of  discriminants  having  12  to  15 
digits  by  this  method,  but  not  much  more.  We  must  therefore  find  still  better 
methods.  In  addition,  we  still  have  not  given  any  method  for  computing  the 
class  group. 
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5.4  Class  Groups  of  Imaginary  Quadratic  Fields 

It  was  noticed  by  Shanks  in  1968  that  if  one  tries  to  obtain  the  class  group 
structure  and  not  only  the  class  number,  this  leads  to  an  algorithm  which  is 
much  faster  than  the  preceding  algorithms,  in  average  time  0(|jD|1/4+e)  or 
even  0(\D\^5+e)  if  the  Generalized  Riemann  Hypothesis  is  true,  for  any  e>0. 
Hence  not  only  does  one  get  much  more  information,  i.e.  the  whole  group 
structure,  but  even  if  one  is  interested  only  in  the  class  number,  this  is  a  much 
better  method. 

Before  entering  into  the  details  of  the  algorithm,  we  will  describe  a  method 
introduced  (for  this  purpose)  by  Shanks  and  which  is  very  useful  in  many 
group-theoretic  and  similar  contexts. 


5.4.1  Shanks’s  Baby  Step  Giant  Step  Method 


We  first  explain  the  general  idea.  Let  G  be  a  finite  Abelian  group  and  g  an 
element  of  G.  We  want  to  compute  the  order  of  g  in  G,  i.e.  the  smallest  positive 
integer  n  such  that  gn  =  1,  where  we  denote  by  1  the  identity  element  of  G. 
One  way  of  doing  this  is  simply  to  compute  g ,  g2,  g 3,  . . .,  until  one  gets  1. 
This  clearly  takes  O(n)  group  operations.  In  certain  cases,  it  is  impossible  to 
do  much  better.  In  most  cases  however,  one  knows  an  upper  bound,  say  B  on 
the  number  n,  and  in  that  case  one  can  do  much  better,  using  Shanks’s  baby- 
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step  giant-step  strategy.  One  proceeds  as  follows.  Let  q  = 

1,  <7,  ...  ,  gq -1,  and  set  g\  =  g~q.  Then  if  the  order  n  of  g  is  written  in  the 
form  n  =  aq  +  r  with  0  <  r  <  <y,  by  the  choice  of  q  we  must  also  have  a  <  q. 
Hence,  for  a  =  1, . . .,  q  we  compute  and  check  whether  or  not  it  is  in  our 
list  of  gr  for  r  <  q.  If  it  is,  we  have  ga<*+r  =  1,  hence  n  is  a  divisor  of  aq  +  r, 
and  the  exact  order  can  easily  be  obtained  by  factoring  aq  +  r,  at  least  if 
aq  +  r  is  of  factorable  size  (see  Chapter  10).  This  method  clearly  requires  only 
O  (B1^2)  group  operations,  and  this  number  is  much  smaller  than  0(n )  if  B 
is  a  reasonable  upper  bound. 


There  is  however  one  pitfall  to  avoid  in  this  algorithm:  we  need  to  search 
(at  most  q  times)  if  an  element  belongs  to  a  list  having  q  elements.  If  this 
is  done  naively,  this  will  take  0(q2)  =  0(B)  comparisons,  and  even  if  group 
operations  are  much  slower  than  comparisons,  this  will  ultimately  dominate 
the  running  time  and  render  useless  the  method.  To  avoid  this,  we  can  first 
sort  the  list  of  q  elements,  using  a  O(qlnq)  sorting  method  such  as  heapsort 
(see  [Knu3]).  A  search  in  a  sorted  list  will  then  take  only  0(ln  q)  comparisons, 
bringing  the  total  time  down  to  0(q\nq).  We  can  also  use  hashing  techniques 
(see  [Knu3]  again). 

This  simple  instance  of  Shanks’s  method  involves  at  most  q  “giant  steps” 
(i.e.  multiplication  by  gi),  each  of  size  q.  Extra  information  on  n  can  be  used  to 
improve  the  efficiency  of  the  algorithm.  We  give  two  basic  examples.  Assume 
that  m  addition  to  an  upper  bound  B,  we  also  know  a  lower  bound  C,  say, 
so  that  C  <  n  <  B .  Then,  by  starting  our  list  with  gc  instead  of  <7°  =1,  we 
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can  reduce  both  the  maximum  number  of  giant  steps  and  the  size  of  the  giant 
steps  (and  of  the  list)  to  |" > JB  —  C | . 

As  a  second  example,  assume  that  we  know  that  n  satisfies  some  congru¬ 
ence  condition  n  =  no  (mod  b) .  Then  it  is  easily  seen  that  one  can  reduce  the 


size  and  number  of  giant  steps  to  y/B/b  . 


Shanks’s  method  is  usually  used  not  only  to  find  the  order  of  an  element 
of  the  group  G,  but  the  order  of  the  group  itself.  If  g  is  a  generator  of  G , 
the  preceding  algorithm  does  the  trick.  In  general  however  this  will  not  be  the 
case,  and  in  addition  G  may  be  non-cyclic  (although  cyclic  groups  occur  much 
more  often  than  one  expects,  see  Section  5.10).  In  this  case  we  must  use  the 
whole  group  structure,  and  not  only  one  cyclic  part.  To  do  this,  we  can  use 
the  following  algorithm. 


Algorithm  5.4.1  (Shanks’s  Baby-Step  Giant-Step  Method).  Given  that  one 
can  compute  in  G,  and  the  inequalities  Bf  2  <  C  <  h  <  B  on  the  order  h  of  G, 
this  algorithm  finds  h.  We  denote  by  1  the  identity  element  of  G  and  by  •  the 
product  operation  in  G.  The  variables  S  and  L  will  represent  subsets  of  G. 

1.  [Initialize]  Set  h  *-  1,  Ci  *-  C,  Bi  «-  B,  S  <—  {1},  L  <—  {1}. 

2.  [Take  a  new  g]  (Here  we  know  that  the  order  of  G  is  a  multiple  of  h ).  Choose 
a  new  random  g  G  G,  q  <—  \%/B\  —  Ci| . 

3.  [Compute  small  steps]  Set  xq  *-  1,  xi  <—  gh  and  if  xi  =  1  set  n  *-  1  and 

go  to  step  6.  Otherwise,  for  r  =  2  to  r  =  q  —  1  set  xr  *—  x\  •  xr-i.  For 

each  r  with  0  <  r  <  q  set  5i,r  *-  xr  •  S,  Si  «-  Uo<r<9  Si,r,  and  sort  Si  so 
that  a  search  in  Si  is  easy.  If  during  this  computation  one  finds  1  G  Si>r  for 
r  >  0,  set  n  <—  r  (where  r  is  the  smallest)  and  go  to  step  6.  Otherwise,  set 
y  <—  x  1  •  xq- 1,  z  *-  zf\  n  <—  Ci. 

4.  [Compute  giant  steps]  For  each  w  G  L,  set  z\  <—  2  •  w  and  search  for  z\  in  the 

sorted  list  Si.  If  Z\  is  found  and  zi  G  S'i^,  set  n  <—  n  —  r  and  go  to  step  6. 

5.  [Continue]  Set  z  *—  y  •  z,  n  <—  n  +  q.  If  n  <  Bi  go  to  step  4.  Otherwise  output 
an  error  message  stating  that  the  order  of  G  is  larger  than  B  and  terminate 
the  algorithm. 

6.  [Initialize  order]  Set  n  <—  hn. 

7.  [Compute  the  order  of  g  mod  L  •  5]  (Here  we  know  that  gn  G  L-  S).  For  each 
prime  p  dividing  n,  do  the  following:  set  Si  +—  gn/p  •  S  and  sort  Si.  If  there 
exists  a  z  G  L  such  that  z  G  Si,  set  n  +—  nfp  and  go  to  step  7. 

8.  [Finished?].  Set  h  hn.  If  h  >  C  then  output  h  and  terminate  the  algorithm. 
Otherwise,  set  Bx  <-  |Bi/n|,  Cx  *-  \Ci/n\,  q  *-  \JK\,  S  *-  \J0<r<qgr  •  S, 
y<^gq,L*~  U0<a<9  ya  ■  L  and  go  to  step  2. 

This  is  of  course  a  probabilistic  algorithm.  The  correctness  of  the  result 
depends  in  an  essential  way  on  the  correctness  of  the  bounds  C  and  B.  Since 
during  the  algorithm  the  order  of  G  is  always  a  multiple  of  h,  and  since 
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C  >  Bf  2,  the  stopping  criterion  h  >  C  in  step  8  is  correct  (any  multiple  of 
h  larger  than  h  would  be  larger  than  B).  In  practice  however  we  may  not  be 
so  lucky  as  to  have  a  lower  bound  C  such  that  C  >  Bf 2.  In  that  case,  one 
cannot  easily  give  any  stopping  criteria,  and  my  advice  is  to  stop  as  soon  as  h 
has  not  changed  after  10  passes  through  step  8.  Note  however  that  this  is  no 
longer  an  algorithm,  since  nothing  guarantees  the  correctness  of  the  result. 

Note  that  if  are  elements  of  G  of  respective  orders  e*,  then  the  exponent 
of  G  is  a  multiple  of  the  least  common  multiple  (LCM)  of  the  e*.  Hence,  if  one 
expects  the  exponent  of  the  group  to  be  not  too  much  lower  than  the  order  h, 
one  can  use  a  much  simpler  method  in  which  one  simply  computes  the  LCM 
of  sufficiently  many  random  elements  of  G ,  and  then  taking  the  multiple  of 
this  LCM  which  is  between  the  given  bounds  C  and  B.  For  this  to  succeed, 
the  bounds  have  to  be  close  enough.  In  practice,  it  is  advised  to  first  use  this 
method  to  get  a  tentative  order,  then  to  use  the  rigorous  algorithm  given 
above  to  prove  it,  since  a  knowledge  of  the  exponent  of  G  can  clearly  be  used 
to  improve  the  efficiency  of  Algorithm  5.4.1. 

Let  us  explain  why  Algorithm  5.4.1  works.  Let  H  be  the  true  order  of  G. 
Consider  the  first  g.  We  have  gH  =  1,  and  if  we  write  H  —  C  =  aq  —  r  with 
0  <  r  <  q  and  q  =  \  y/B  —  C] ,  then  also  a  —  1  <  (H  —  C)/q  <  (B  —C)/q  <  q 
hence  a  <  q.  This  implies  that  we  have  an  equality  of  the  form 

gc  •  (ffT  =  gr 

with  0  <  r  <  q  and  1  <  a  <  q.  This  is  detected  in  step  4  of  the  algorithm, 
where  we  have  xr  =  gr ,  y  =  gq  and  z\  =  gc  •  (gq)a.  When  we  arrive  in  step  6 
we  know  that  gn  =  1  with  n  =  C  +  aq  —  r,  hence  the  order  of  g  is  a  divisor  of 
n,  and  step  7  is  the  standard  method  for  computing  the  order  of  an  element 
in  a  group. 

After  that,  h  is  set  to  the  order  of  g ,  and  by  a  similar  baby  step  giant  step 
construction,  S  and  L  are  constructed  so  that  S  •  L  =  <  g  >,  the  subgroup 
generated  by  g.  We  also  know  that  the  order  H  of  G  is  a  multiple  of  h.  Hence, 
for  a  new  gi ,  instead  of  writing  g^  =  1  and  H  —  C  =  aq  —  r  we  will  write 
(<7i  )Hl  6  <  g  >  and  H\  —  C\  =  aq\  —  r\,  where  H\  =  H/h  is  known  to  be 
between  C\  =  \C/K\  and  B\  =  [B/h\,  whence  the  modifications  given  in  the 
algorithm  when  we  start  with  a  new  g.  □ 

Note  that  as  we  have  already  mentioned,  it  is  essential  to  do  some  kind 
of  ordering  on  the  xr  in  step  3,  otherwise  the  search  time  in  step  4  would 
dominate  the  total  time.  In  practical  implementations,  the  best  method  is 
probably  not  to  sort  completely,  but  to  use  hashing  techniques  (see  [Knu3]). 

The  expected  running  time  of  this  algorithm  is  0((B  —  C)1/2)  group  op¬ 
erations,  and  this  is  usually  0(B1/2+e)  for  all  e  >  0.  For  obvious  reasons,  the 
method  above  is  called  Shanks’s  baby-step  giant-step  method,  and  it  can  be 
profitably  used  in  many  contexts.  For  example,  it  can  be  used  to  compute 
class  numbers  and  class  groups  (see  Algorithm  5.4.10),  regulators  (see  Algo¬ 
rithm  5.8.5),  or  the  number  of  points  of  an  elliptic  curve  over  a  finite  field  (see 
Algorithm  7.4.12). 
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We  must  now  explain  how  to  obtain  the  whole  group  structure.  Call  g\, 

. . .  ,  gk  the  elements  of  G  which  are  chosen  in  step  2.  Then  when  a  match  is 
found  in  step  3  or  4,  we  must  record  not  only  the  exponent  of  g  which  occurs, 
but  the  specific  exponents  of  the  preceding  <7*.  In  other  words,  one  must  keep 
track  of  the  multi-index  exponents  in  the  lists  L  and  5.  If  at  step  i  we  have  a 
relation  of  the  form  g^1'  •  •  •  with  g  —  gi  and  =  n  after  step 

7  in  the  notation  of  the  algorithm,  we  then  consider  the  matrix  K  =  {hj) 
where  we  set  kitj  =  0  if  i  >  j.  Then  we  compute  the  Smith  normal  form  of 
this  matrix  using  Algorithm  2.4.14,  and  if  di  are  the  diagonal  elements  of  the 
Smith  normal  form,  we  have 

^  ©  (Z/d»Z), 

Ki<k 


i.e.  the  group  structure  of  G. 

5.4.2  Reduction  and  Composition  of  Quadratic  Forms 

Before  being  able  to  apply  the  above  algorithm  (or  any  other  algorithm  using 
the  group  structure)  to  the  class  group,  it  is  absolutely  essential  to  be  able  to 
compute  in  the  class  group.  As  already  mentioned,  we  could  do  this  by  using 
HNF  computations  on  ideals.  Although  theoretically  equivalent,  it  is  more 
practical  however  to  work  on  classes  of  quadratic  forms.  In  Theorem  5.2.8  we 
have  seen  that  the  set  of  classes  of  quadratic  forms  is  in  a  natural  bijection 
with  the  class  group.  Hence,  we  can  easily  transport  this  group  structure  so 
as  to  give  a  group  structure  to  classes  of  quadratic  forms.  This  operation, 
introduced  by  Gauss  in  1798  is  called  composition  of  quadratic  forms.  Also, 
since  we  will  want  to  work  with  a  class  of  forms,  we  will  have  a  reduction 
procedure  which,  given  any  quadratic  form,  will  give  us  the  unique  reduced 
form  in  its  class.  I  refer  the  reader  to  [Lenl]  and  [Bue]  for  more  details  on  this 
subject. 

The  reduction  algorithm  is  a  variant  of  Euclid’s  algorithm: 

Algorithm  5.4.2  (Reduction  of  Positive  Definite  Forms).  Given  a  positive 
definite  quadratic  form  /  =  (a,6,c)  of  discriminant  D  =  b2  —  4 ac  <  0,  this 
algorithm  outputs  the  unique  reduced  form  equivalent  to  /. 

1.  [Initialize]  If  —a  <  b  <  a  go  to  step  3. 

2.  [Euclidean  step]  Let  b  =  2aq  +  r  with  0  <  r  <  2a  be  the  Euclidean  division  of 
b  by  2a.  If  r  >  a,  set  r  <—  r  —  2a  and  q  <—  q  +  1.  (In  other  words,  we  want 
b  =  2 aq  +  r  with  -a  <r  <  a.)  Then  set  c  <—  c  -  |(6  -I-  r)q,  b  <—r. 

3.  [Finished?]  If  a  >  c  set  6  < - 6,  exchange  a  and  c  and  go  to  step  2.  Otherwise, 

if  a  =  c  and  b  <  0,  set  b  < - b.  Output  (a,  6,  c)  and  terminate  the  algorithm. 

The  proof  of  the  validity  of  this  algorithm  follows  from  the  proof  of  Propo¬ 
sition  5.3.3.  Note  that  in  step  2  we  could  have  written  c  *—  c  —  bq  +  aq2,  but 
writing  it  the  way  we  have  done  avoids  one  multiplication  per  loop. 
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This  algorithm  has  exactly  the  same  behavior  as  Euclid’s  algorithm  which 
we  have  analyzed  in  Chapter  1,  hence  is  quite  fast.  In  fact,  we  have  the  fol¬ 
lowing. 


proposition  5.4.3.  The  number  of  Euclidean  steps  in  Algorithm  5-4-2  is  at 
most  equal  to 


2  + 


lg 


a 


Vm 


Proof.  Consider  the  form  (a,  b,  c )  at  the  beginning  of  step  3.  Note  first  that  if 
a  >  y/\Dl  then 

b2  +  \D\  a2  +  a2  a 
C~  4a  “  4a  _2’ 

hence,  since  in  step  3  a  and  c  are  exchanged,  a  decreases  by  a  factor  at  least 
equal  to  2.  Hence,  after  at  most  \\g(af  y/\D\y\  steps,  we  obtain  at  the  beginning 
of  step  3  a  form  with  a  <  y/\D\.  Now  we  have  the  following  lemma. 

Lemma  5.4.4.  Let  ( a ,  b,  c)  is  a  positive  definite  quadratic  form  of  discrim¬ 
inant  D  =  b2  —  4 ac  <  0  such  that  —a  <  b  <  a  and  a  <  \J\D\.  Then  ei¬ 
ther  (a,  b,  c )  is  already  reduced,  or  the  form  ( c,  r ,  s)  where  —b  =  2 cq  -I-  r  with 
— c  <  r  <  c  obtained  by  one  reduction  step  of  Algorithm  5-4-2  will  be  reduced. 

Proof.  If  (a,  6,  c)  is  already  reduced,  there  is  nothing  to  prove.  Assume  it  is 
not.  Since  —  a  <  b  <  a,  this  means  that  a  >  c  or  a  =  c  and  b  <  0.  This  last 
case  is  trivial  since  at  the  next  step  we  obtain  the  reduced  form  ( a,—b,a ). 
Hence,  assume  a  >  c.  If  —  c  <  —b  <  c,  then  q  =  0  and  so  (c,  r,  s)  =  ( c,  —  6 ,  a)  is 
reduced.  If  a  >  2c,  then  c  <  y/\D\f4,  and  hence  (c,  r,  s)  is  reduced  by  Lemma 
5.3.4.  So  we  may  assume  c  <  a  <  2c  and  —b  <  —c  or  —b  >  c.  Since  |5|  <  a,  it 
follows  that  in  the  Euclidean  division  of  —  6  by  2c  we  must  have  q  =  ±1,  the 
sign  being  the  sign  of  —6.  Now  we  have  s  =  a  — bq  +  cq2,  hence  when  q  =  ±1, 
s  =a+6+c>c  since  |6|  <  a.  This  proves  that  (c,  r,  s)  is  reduced,  except 
perhaps  when  s  =  c.  In  that  case  however  we  must  have  a  =  ±6,  hence  a  =  b 
so  6  >  0,  q  =  —  1  and  r  =  2c  —  b  >  0.  Therefore  (c,  r,  s)  is  also  reduced  in  this 
case.  This  proves  the  lemma,  and  hence  Proposition  5.4.3.  □ 


We  will  now  consider  composition  of  forms.  Although  the  group  structure 
on  ideal  classes  carries  over  only  to  classes  of  quadratic  forms  via  the  maps 
((>fi  and  4>if  defined  in  Section  5.2,  we  can  define  an  operation  between  forms, 
which  we  call  composition,  which  becomes  a  group  law  only  at  the  level  of 
classes  modulo  PSL2(Z).  Hence  we  will  usually  work  on  the  level  of  forms. 

Let  (ai,6i,ci)  and  (02,62^2)  be  two  quadratic  forms  with  the  same  dis¬ 
criminant  D ,  and  consider  the  corresponding  ideals 


Ik  —  OfcZ  + 


— +  a/D 


Z 


(k  =  1,2) 
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given  by  the  map  4>fi  of  Theorem  5.2.4.  We  have  the  following  lemma 

Lemma  5.4.5.  Let  I\  and  I2  be  two  ideals  as  above,  set  s  =  ( b\  +&2)/2, 
d  =  gcd(ai,a2,s),  and  let  u,  v,  w  be  integers  such  that  ua\  +  va2  +  ws  =  d. 
Then  we  have 

Il-h  =  d(AZ  +  -B  +  '^z\, 


where 

A  =  B  =  b2  +  —JL(vis  ~  h)  ~  WC2) 

and  do  =  1  if  at  least  one  of  the  forms  (ai,&i,ci)  or  ( <12,62 >02 )  is  primitive 
and  in  general  do  =  gcd(ai,  a2, 5,  Ci,  C2,  n)  where  n  =  (bi  —  62) /2. 

Proof  The  ideal  J3  =  I\  •  1 2  is  generated  as  a  Z-module  by  the  four  products 
of  the  generators  of  Ii  and  /2 ,  i.e.  by  g4  =  aia2,  g2  =  (— ai&2  +  aiVD)/2, 
gs  =  (—  a2bi+a2\/D)/2  and  54  =  {{b\b2+D)f2—sy/D)/2.  Now  by  Proposition 
5.2.1  we  know  that  we  can  write 


I3  —  C\  AZ  + 


-b  +  Vd, 


for  some  integers  A,  B  and  C.  It  is  clear  that  C  is  the  smallest  positive 
coefficient  of  y/D/ 2  in  J3,  hence  is  equal  to  the  GCD  of  a\,  02  and  s, 
so  C  =  d  as  stated.  If  one  of  the  forms  is  primitive,  or  equivalently  by 
Proposition  5.2.5  if  one  of  the  ideals  is  invertible,  then  by  Proposition  4.6.8, 
we  have  Af(Is)  =  N{I\)N(l2)  =  a\a2  and  since  M{h)  =  AC 2  we  have 
A  =  a\02 /d2.  (By  Exercise  14  of  Chapter  4,  this  will  in  fact  still  be  true 
if  gcd(ai, 61, ci, 02,62,02)  =  1,  which  is  a  slightly  stronger  condition  than 
do  =  1.)  This  will  also  follow  from  the  more  general  result  where  we  make  no 
assumptions  of  primitivity. 

Let  us  directly  determine  the  value  of  AC,  i.e.  the  least  positive  integer 
belonging  to  Is.  Any  element  of  Is  being  of  the  form  u\gi  +  U2P2  +  W353  +  U4P4 
for  integers  Ui ,  the  set  /3Hz  is  the  set  of  such  elements  with  U2a\-\-usa2 — U4S  = 
0.  Using  Exercise  11,  the  general  solution  to  this  is  given  by  U2  =  02/(01 ,  <22 )v— 
s/(ai,s)p,  us  =  s/(a2,s)A  -  a1/(ai,o2)i',  u4  =  a2/(o2,s)A  -  ai/{a\,s)p  for 
integers  A,  p,  v.  After  a  short  calculation,  we  see  that  Is  n  Z  =  eZ  where 


,  I  Oi(Z2Ci  0102C2  0i02n 

e  =  gcd  (  — — - r,-; - r,oio2 


(o2, s)  ’  (oi,s)  ’  (oi,a2)’ 
Another  computation  (see  Exercise  8)  shows  that 


e  = 


Oid2 


(01, 02,  s) 


gcd(ai,a2,s,ci,c2,n) 
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thus  giving  the  claimed  value  for  A  =  e/C  =  e/d.  Since  &i  =  s  +  n 
and  62  =  s  —  n,  it  is  clear  that  if  one  of  the  forms  is  primitive  then 
d0  =  gcd(ai,  a2,  s,  ci,  C2,  n)  =  1  thus  proving  the  statement  made  above. 

Finally,  if  d  =  ua  1  +  va2  +  ws ,  one  possible  value  of  B  is  clearly 
„  uaib2  +  va2bi-\- w(bib2  + D)/2  db2  +  va2(bi  —  b2)  —  2a2c2w 

&  —  J  —  j  J 

a  d 

thus  proving  the  lemma.  □ 

Note  that  if  one  writes  Ii=a,i{Z  +7*2),  then  we  can  reformulate  the  above 
lemma  by  saying  that  (with  the  same  definitions  of  d,  u,  v  and  w)  we  have 
a$=aia2do/d  and  Tz={d/do){ur2  +  vTi  +  urrir2). 

This  leads  to  the  following  basic  definition  of  the  composite  of  two  forms. 

Definition  5.4.6.  Let  f\  =  (ai,6i,ci)  and  f2  =  ( a2,b2,c2 )  be  two  quadratic 
forms  of  the  same  discriminant  D.  Set  s  =  (bi  +  b2)/2,  n  =  {b\  —  b2)/2  and 
let  u,  v,  w  and  d  be  such  that 

ua  1  +  va2  +  ws  =  d  =  gcd{ai,a2,  s ) 

(obtained  by  two  applications  of  Euclid’s  extended  algorithm),  and  let  do  = 
gcd(d, ci, C2, n).  We  define  the  composite  of  the  two  forms  f\  and  f2  as  the 
form 


{o>3,bs,cz) 

modulo  the  action 
Section  5.2. 


= 7T- ■  b> + K (v{s - h) - wc*]' ^rj' ■ 

0/ r 00 ,  Le.  viewed  as  a  form  in  the  set  F  introduced  in 


Since  composition  comes  from  the  product  of  ideals,  using  the  isomorphism 
given  in  Section  5.2,  it  is  clear  that  the  class  in  F  of  (a3, 63,  c3)  does  not  depend 
on  the  particular  choices  of  u,  v  and  w.  This  can  of  course  also  be  checked 
directly  (see  Exercise  12).  Note  that  if  we  do  not  take  the  class  modulo  Too, 
the  result  is  not  at  all  canonical.  Therefore  when  we  speak  of  composition  of 
quadratic  forms  we  will  always  implicitly  assume  that  we  are  working  modulo 
the  action  of  Too,  i.e.  in  the  set  F,  and  not  on  quadratic  forms  themselves. 

To  obtain  the  reduced  composite  of  two  forms,  it  is  usually  necessary  to 
reduce  the  form  obtained  by  composition.  By  abuse  of  language,  in  the  case  of 
negative  discriminants  we  will  also  call  this  reduced  form  the  composite  of  the 
two  forms.  (In  the  case  of  positive  discriminants,  there  is  in  general  more  than 
one  reduced  form  equivalent  to  a  given  form,  hence  this  abuse  of  language  is 
not  permitted.) 

Although  the  raw  formulas  given  in  the  definition  can  be  used  directly, 
they  can  be  improved  by  careful  rearrangements.  This  leads  to  the  following 
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algorithm,  due  to  Shanks  [Shal].  Since  imprimitive  forms  are  almost  never 
used,  for  the  sake  of  efficiency  we  will  restrict  to  the  case  of  primitive  forms. 
Note  also  that  the  composite  of  two  primitive  forms  is  still  primitive  (Exercise 

9). 


Algorithm  5.4.7  (Composition  of  Positive  Definite  Forms).  Given  two  prim¬ 
itive  positive  definite  quadratic  forms  fi  =  (ai,&i,ci)  and  f2  =  (ci2,b2,c2)  with 
the  same  discriminant,  this  algorithm  computes  the  composite  /3  =  (03,63,03) 
of  fi  and  /2. 

1.  [Initialize]  If  a\  >  a2  exchange  /i  and  f2.  Then  set  s  <-  5(61  +  62),  n  <—  b2-s. 

2.  [First  Euclidean  step]  If  a 1  |  a2,  set  yi  *—  0  and  d  <—  a\.  Otherwise,  using 
Euclid’s  extended  algorithm  compute  (u,u,d)  such  that  ua2  +  va\  =  d  = 
gcd(a2,ai),  and  set  y\  <—  u. 

3.  [Second  Euclidean  step]  If  d  \  s,  set  y2  < - 1,  x2  <—  0  and  d\  <—  d.  Otherwise, 

using  Euclid’s  extended  algorithm  compute  (u,  v,di)  such  that  us+vd  =  d\  = 
gcd(s,d),  and  set  x2  <—u,y2< - v. 

4.  [Compose]  Set  Vi  *—  ai/di,  v2  <—  a2/di,  r  <—  (yiy2n  —  x2c2  mod  ui),  63  *— 
b2  +  2v2r,  a3  «-  viv2,  c3  (c2di+r(b2+v2r))/vi  (or  c3  <-  (6§ -D)/(4a3)), 
then  reduce  the  form  /  =  (03,63,03)  using  Algorithm  5.4.2,  output  the  result 
and  terminate  the  algorithm. 

Note  that  this  algorithm  should  be  implemented  as  written:  in  step  2  we 
first  consider  the  special  case  a\  \  a2  because  it  occurs  very  often  (at  least 
each  time  one  squares  a  form,  and  this  is  the  most  frequent  operation  when 
one  raises  a  form  to  a  power.)  Therefore,  it  should  be  considered  separately 
for  efficiency’s  sake,  although  the  general  Euclidean  step  would  give  the  same 
result.  Similarly,  in  step  3  it  often  happens  that  d  \  s  because  d  =  1  also  occurs 
quite  often.  Finally,  note  that  the  computation  of  C3  in  step  4  can  be  done 
using  any  of  the  two  formulas  given. 

The  generalization  of  this  algorithm  to  imprimitive  forms  is  immediate 
(see  Exercise  10). 

Since  we  have  |63|  <  a3  <  ^\D\/3  and  since  C3  can  be  computed  from 
a3  and  63,  it  seems  plausible  that  one  can  make  most  of  the  computations 
in  Algorithm  5.4.7  using  numbers  only  of  size  0(yJ\D\)  and  not  0(D)  or 
worse.  That  this  is  the  case  was  noticed  comparatively  recently  by  Shanks 
and  published  only  in  1989  [Sha2].  The  improvement  is  considerable  since  in 
multi-precision  situations  it  may  gain  up  to  a  factor  of  4,  while  in  the  case 
where  y/\D\  is  single  precision  while  D  is  not,  the  gain  is  even  larger. 

This  modified  algorithm  (called  NUCOMP  by  Shanks)  was  modified  again 
by  Atkin  [Atkl].  As  mentioned  above,  squaring  of  a  form  is  important  and 
simpler,  so  Atkin  gives  two  algorithms,  one  for  duplication  and  one  for  com¬ 
position. 
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Algorithm  5.4.8  (NUDUPL).  Given  a  primitive  positive  definite  quadratic 
form  /  =  (a,  6,  c)  of  discriminant  D,  this  algorithm  computes  the  square  f2  = 
/2  =  ( o,2,b2,C2 )  of  /.  We  assume  that  the  constant  L  =  [| Z)/4| X/4J  has  been 
precomputed. 

1.  [Euclidean  step]  Using  Euclid's  extended  algorithm,  compute  (u,v,di)  such 

that  ub  +  va  =  d\  =  gcd(6, a).  Then  set  A  <—  a/di,  B  <—  b/d\,  C  <— 

(— cu  mod  A),  Ci  <—  A  —  C  and  if  C\  <  C,  set  C  < - C\. 

2.  [Partial  reduction]  Execute  Sub-algorithm  PARTEUCL(A,  C)  below  (this  is  an 
extended  partial  Euclidean  algorithm). 

3.  [Special  case]  If  z=  0,  set  g  <—  (Bv3  +  c) / d,  a 2  <—  d2,  c2  <—  v2,  62  <— 
b  +  (d  +  V3)2  —  a2  —  C2,  c2  <—  c2  +  gdi,  reduce  the  form  /2  =  (02,62,  c2), 
output  the  result  and  terminate  the  algorithm. 

4.  [Final  computations]  Set  e  <—  (cv  +  Bd)/A,  g  <—  (ev2  —B)/v  (these  divisions 

are  both  exact  and  v  =  0  has  been  dealt  with  in  step  3),  then  62  •*—  ev2  +  vg. 
Then,  if  d\  >  1,  set  62  <—  di62 ,  v  <—  d\v,  V2  <—  d\V2-  Finally,  in  order,  set 

02  <—  d2,  C2  <—  V3,  62  <—  62  +  {d  +  v3)2  —  o2  —  c2l  a2  <—  a2  +  ev,  c2  <— 

c2  +  gv 2,  reduce  the  form  /2  =  (02,62,02),  output  the  result  and  terminate 
the  algorithm. 


Sub-algorithm  PARTEUCL(a,6).  This  algorithm  does  an  extended  partial 
Euclidean  algorithm  on  a  and  6,  but  uses  the  variables  v  and  v2  instead  of  u  and 
Vi  in  Algorithm  1.3.6. 

1.  [Initialize]  Set  v  <—  0,  d  <—  a,  <—  1,  o3  <—  6,  2  <—  0. 

2.  [Finished?]  If  | V3 1  >  jL  go  to  step  3.  Otherwise,  if  z  is  odd,  set  v2  * - v2  and 

V3  < - V3.  Terminate  the  sub-algorithm. 

3.  [Euclidean  step]  Let  d  =  qv 3  +  £3  be  the  Euclidean  division  of  d  by  v$  with 
0  <  £3  <  M-  Set  £2  <-  v-qv 2,  v  <-  t!2,  d  <-v3,  v2  <—  £2,  v3  <-  £3 ,  2  <-  2  + 1 
and  go  to  step  2. 

I  have  given  the  gory  details  in  steps  3  and  4  of  Algorithm  5.4.8  just  to 
show  how  a  careful  implementation  can  save  time:  the  formula  for  62  in  step 
4  could  have  simply  been  written  62  <—  62  +  2dv3.  This  would  involve  one 
multiplication  and  2  additions.  Since  we  need  the  quantities  d2  and  v§  for 
a2  and  c2  anyway,  the  way  we  have  written  the  formula  involves  3  additions 
and  one  squaring.  By  a  suitable  implementation  of  a  method  analogous  to  the 
splitting  method  for  polynomials  explained  in  Chapter  3,  this  will  be  faster 
than  2  additions  and  one  multiplication.  Of  course  the  gain  is  slight  and  the 
lazy  reader  may  implement  this  in  the  more  straightforward  way,  but  it  should 
be  remembered  that  we  are  programming  a  basic  operation  in  a  group  which 
will  be  used  a  large  number  of  times,  so  any  gain,  even  small,  is  worth  taking. 

Note  also  that  the  final  reduction  of  /2  will  be  very  short,  usually  one  or 
two  Euclidean  steps  at  most. 
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The  proof  of  the  validity  of  the  algorithm  is  not  difficult  (see  [Sha2])  and 
is  left  to  the  reader.  It  can  also  be  checked  that  all  the  iterations  (Euclid  and 
reductions)  are  done  on  numbers  less  than  0(y/\D\),  and  that  only  a  small 
and  fixed  number  of  operations  are  done  on  larger  numbers. 

Let  us  now  look  at  the  general  algorithm  for  composition. 

Algorithm  5.4.9  (NUCOMP).  Given  two  primitive  positive  definite  quadratic 
forms  with  the  same  discriminant  /i  =  (ai,6i,ci)  and  f2  =  {ci2,b2,c2),  this 
algorithm  computes  the  composite  fo  =  (03,63,03)  of /1  and  /2-  As  in  NUDUPL 
(Algorithm  5.4.8)  we  assume  already  precomputed  the  constant  L  =  |J-D/4|1/,4J- 
Note  that  the  values  of  oi  and  02  may  get  changed,  so  they  should  be  preserved 
if  needed. 

1.  [Initialize]  If  ai  <  02  exchange  fi  and  /2.  Then  set  s  <—  |(6i+  62),  n  <—  62  —  s. 

2.  [First  Euclidean  step]  Using  Euclid’s  extended  algorithm,  compute  (u,v,d) 

such  that  ua 2  +  va\  =  d  =  gcd(ai,02).  If  d  =  1,  set  A  < - un,  d\  <—  d 

and  go  to  step  5.  If  d  |  s  but  d  ^  1,  set  A  < - un,  d\  <—  d,  ai  <—  a\/d\, 

a 2  <—  a2/d\,  s  <—  s/d\  and  go  to  step  5. 

3.  [Second  Euclidean  step]  (here  d\  s)  Using  Euclid’s  extended  algorithm  again, 
compute  (ui,vi,di)  such  that  uis  +  v\d  =  d\  =  gcd(s,d).  Then,  if  d\  >  1, 
set  ai  <—  ai/di,  02  <—  a2/di,  s  <—  s/d\  and  d  <—  d(d\. 

4.  [Initialization  of  reduction]  Compute  l  < - ui(uci  +  vc2)  mod  d  by  first  reduc¬ 

ing  Ci  and  C2  (which  are  large)  modulo  d  (which  is  small),  doing  the  operation, 
and  reducing  again,  then  set  A  < - u(n/d)  +  l{a\/d). 

5.  [Partial  reduction]  Set  A  <—  (A  mod  a{),  Ai  <—  a\  —  A  and  if  A\  <  A  set 

A  * - A\,  then  execute  Sub-algorithm  PARTEUCL(ai,  A)  above. 

6.  [Special  case]  If  z  =  0,  set  Q 1  <—  02^3.  Q2  Qi  +  n,  f  <—  Q^/d,  g  <— 

(V3S  +  C2)/d,  0,3  <—  da2,  C3  V3 f  +  gd\,  63  2Qi  -I-  62,  reduce  the  form 

f3  =  (03,63,03),  output  the  result  and  terminate  the  algorithm. 

7.  [Final  computations]  Set  6  <—  (02^+  nv)/a\,  Qi  <—  bv3,  Q2  <—  Q 1  +  n, 
f  Q2M  e  «-  {sd+c2v)/ai,  Q3  ev2,  Q4  <-  Q3-S,  g  *-  Q4/v  (the  case 
v  =  0  has  been  dealt  with  in  step  6),  and  if  d\  >  1  set  v2  <—  d\v2,  v  d\V. 
Finally,  seta3  <-  db+ev,  c3  <-  V3f-\-gv2,  63  <-  Qi+Q2+d1(Q3+Q4),  reduce 
the  form  /3  =  (03^3,03),  output  the  result  and  terminate  the  algorithm. 

Note  that  all  the  divisions  which  are  performed  in  this  algorithm  are  exact, 
and  that  the  final  reduction  step,  as  in  NUDUPL,  will  be  very  short,  usually 
one  or  two  Euclidean  steps  at  most.  As  for  NUDUPL,  we  leave  to  the  reader 
the  proof  of  the  validity  of  this  algorithm. 

Implementation  Remark.  We  have  used  the  basic  Algorithm  1.3.6  as  a 
template  for  Sub-algorithm  PARTEUCL.  In  practice,  when  dealing  with  multi- 
precision  numbers,  it  is  preferable  to  use  one  of  its  variants  such  as  Algorithm 
1.3.7  or  1.3.8. 
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5.4.3  Class  Groups  Using  Shanks’s  Method 


From  the  Brauer-Siegel  theorem,  we  know  that  the  class  number  h(D)  of 
an  imaginary  quadratic  field  grows  roughly  like  |Z)| -1/2 .  This  means  that  the 
baby-step  giant-step  algorithm  given  above  allows  us  to  compute  h(D )  in 
time  0(|D|1/r4+e),  which  is  much  better  than  the  preceding  methods.  In  fact, 
suitably  implemented,  one  can  reasonably  expect  to  compute  class  numbers 
and  class  groups  of  discriminants  having  up  to  20  or  25  decimal  digits.  For 
taking  powers  of  the  quadratic  forms  one  should  use  the  powering  algorithm 
of  Section  1.2,  using  if  possible  NUDUPL  for  the  squarings  and  NUCOMP  for 
general  composition,  or  else  using  Shanks  less  optimized  but  simpler  Algorithm 
5.4.7.  To  be  able  to  use  the  baby-step  giant-step  Algorithm  5.4.1  however,  we 
need  bounds  for  the  class  number  h(D).  Now  rigorous  and  explicit  bounds  are 
difficult  to  obtain,  even  assuming  the  GRH.  Hence,  we  will  push  our  luck  and 
give  only  tentative  bounds.  Of  course,  this  completely  invalidates  the  rigor 
of  the  algorithm.  To  be  sure  that  the  result  is  correct,  one  should  start  with 
proven  bounds  like  C  =  0  and  B  =  -^y/\D\\n\D\  (see  Exercise  27),  however 
the  performance  is  much  worse. 

Now  the  series  giving  Ld(  1)  is  only  conditionally  convergent,  as  is  the 
corresponding  Euler  product 


However  this  Euler  product  is  faster  to  compute  to  a  given  accuracy,  since 
only  the  primes  are  needed.  Hence,  to  start  Shanks’s  algorithm,  we  take  a 
large  prime  number  bound  P  (say  P=  218),  and  guess  that,  for  D  <  —4,  h{D ) 
will  be  close  to 


Assuming  GRH,  one  can  show  that 


h(D)  -h=  0{hP -1/2 \n{P\D\)) , 


and  one  can  give  explicit  values  for  the  O  constant.  In  practice,  Shanks  noticed 
experimentally  that  the  relative  error  is  around  1/1000  when  P  =  217.  Hence, 
if  we  use  these  numerical  bounds  combined  with  the  baby-step  giant-step 
method,  we  will  correctly  compute  h(D)  unless  the  exponent  of  the  group  is 
very  small  compared  to  the  order. 

A  very  important  speedup  in  computing  h(D)  by  Shanks’s  method  is  ob¬ 
tained  by  noticing  that  the  inverse  for  composition  of  the  form  (a,  6,  c)  is  the 
form  (a,  —  b,  c),  hence  requires  no  calculation.  Hence,  one  can  double  the  size 
of  the  giant  steps  (by  setting  y  *—  xfg  instead  of  y  <—  xg  in  step  3  of  Algo¬ 
rithm  5.4.1).  Therefore  the  optimal  value  for  q  is  no  longer  yjB  —  C  but  rather 
-  C)/2. 
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Finally,  note  that  during  the  computation  of  the  Euler  product  leading  to 
h,  we  will  also  have  found  the  primes  p  for  which  (— )  =  1.  For  the  first  few 
such  p ,  we  compute  the  square  root  bp  of  D  mod  4 p  f>y  a  simple  modification 
of  Algorithm  1.5.1,  and  we  store  the  forms  (p,  bp,  cp )  where  cp  =  (bp  —  D)/(Ap). 
These  will  be  used  as  our  “random”  x  in  step  2  of  the  algorithm. 

Putting  all  these  ideas  together  leads  to  the  following  method: 


Heuristic  Algorithm  5.4.10  ( h(D )  Using  Baby-Step  Giant-Step).  If  D  < 
—4  is  a  discriminant,  this  algorithm  tries  to  compute  h(D )  using  a  simpleminded 
version  of  Shanks’s  baby-step  giant-step  method.  We  denote  by  •  the  operation 
of  composition  of  quadratic  forms,  and  by  1  the  unit  element  in  the  class  group. 
We  choose  a  small  bound  b  (for  example  b  =  10). 

1.  [Compute  Euler  product]  For  P  =  max(218,  |Z>| 1/4),  compute  the  product 


Q 


-i 


Then  set  B  <-  [Q(l  +  l/(2y/P))\,  C  <-  [Q(l  -  l/(2\/P))].  For  the  first 
b  values  of  p  such  that  (y)  =  1,  compute  bp  such  that  bp  =  D  (mod  4 p) 
using  Algorithm  1.5.1  (and  modifying  the  result  to  get  the  correct  parity).  Set 
fp  (P>bp,  (6^  -  D)/(4p)). 

2.  [Initialize]  Set  e  <—  1,  c  <—  0,  B\  <—  B,  C\  <—  C,  Qi  <—  Q. 

3.  [Take  a  new  g]  (Here  we  know  that  the  exponent  of  Cl(D)  is  a  multiple  of  e). 
Set  g  «—  fp  for  the  first  new  fp,  and  set  c  <—  c  -I- 1,  q  <—  \\/(Bi  —  Ci)/2"|. 

4.  [Compute  small  steps]  Set  xq  <—  1,  x\  <—  ge  then  for  r  =  2  to  r  =  q  —  1  set 
xr  * —  X\  •  xr-i.  If,  during  this  computation  one  finds  xr  =  1,  then  set  n  <—  r 
and  go  to  step  7.  Otherwise,  sort  the  xr  so  that  searching  among  them  is  easy, 
and  set  y  *-  xi  ■  xq-i,  y  +-y2,  z  *-  x ?1,  n  «-  Qi  . 

5.  [Compute  giant  steps]  Search  for  z  or  z~1  in  the  sorted  list  of  xr  for  0  <  r  <  q 
(recall  that  if  z  =  ( a,  6,  c ),  z~l  =  ( a,—b,c )).  If  a  match  z  =  xr  is  found,  set 
n  <—  n  —  r  and  go  to  step  7.  If  a  match  z~l  =  xr  is  found,  set  n  <—  n  +  r  and 
go  to  step  7. 

6.  [Continue]  Set  z  <—  y-z,  n  n  +  2q.  If  n  <  B\  go  to  step  5.  Otherwise  output 
an  error  message  stating  that  the  order  of  G  is  larger  than  B  and  terminate 
the  algorithm. 

7.  [Compute  the  order  of  g]  (Here  we  know  that  gen  =  x1}  =  1).  For  each  prime 

p  dividing  n,  do  the  following:  if  x^v  =  1,  then  set  n  *—  n/p  and  go  to  step 
7. 

8.  [Finished?]  (Here  n  is  the  exact  order  of  xi).  Set  e  <—  en.  If  e  >  B  —  C,  then 
set  h  *—  e[B/e\,  output  h  and  terminate  the  algorithm.  If  c  >  b  output  a 
message  saying  that  the  algorithm  fails  to  find  an  answer  and  terminate  the 
algorithm.  Otherwise  set  Bi  <-  [Bi/n\,  C\  <—  \Cx/ri\  and  go  to  step  3. 
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This  is  not  an  algorithm,  in  the  sense  that  the  output  may  be  false.  One 
should  compute  the  whole  group  structure  using  Algorithm  5.4.1  to  be  sure 
that  the  result  is  valid.  It  almost  always  gives  the  right  answer  however,  and 
thus  should  be  considered  as  a  first  step. 


5.5  McCurley’s  Sub-exponential  Algorithm 

We  now  come  to  an  algorithm  discovered  in  1988  by  McCurley  [McCur, 
Haf-McCurl]  and  which  is  much  faster  than  the  preceding  algorithms  for  large 
discriminants.  Several  implementations  of  this  algorithm  have  been  done,  for 
example  by  Dullmann,  ([Buc-Diil])  and  it  is  now  reasonable  to  compute  the 
class  group  for  a  discriminant  of  50  decimal  digits.  Such  examples  have  been 
computed  by  Dullmann  and  Atkin. 

Incidentally,  unlike  almost  all  other  algorithms  in  this  book,  little  has  been 
done  to  optimize  the  algorithm  that  we  give,  and  there  is  plenty  of  room  for 
(serious)  improvements.  This  is,  in  fact,  a  subject  of  active  research. 


5.5.1  Outline  of  the  Algorithm 

Before  giving  the  details  of  the  algorithm,  let  us  give  an  outline  of  the  main 
ideas.  First,  instead  of  trying  to  obtain  the  class  number  and  class  group  “from 
below” ,  by  finding  relations  xe  =  1 ,  and  hence  divisors  of  the  class  number, 
we  will  find  it  “from  above” ,  i.e.  by  finding  multiples  of  the  class  number. 

Let  V  be  a  finite  set  of  primes  p  such  that  (^)  =  1  for  all  p  €  V.  Then,  as 
in  Shanks’s  method,  we  can  find  reduced  forms  fp  =  (p,  bp,cp ),  which  we  will 
call  prime  forms ,  for  each  p  £  V.  Now,  assuming  GRH,  one  can  prove  that 
there  exists  a  constant  c  which  can  be  computed  effectively  such  that  if  V 
contains  all  the  primes  p  such  that  (^)  =  1  and  p  <  c\n2\D\,  then  the  classes 
of  the  forms  fp  for  p  €  V  generate  the  class  group.  This  means  that  if  we  set 
n  =  [P\,  the  map 


<j>  :  Zn  — >  Cl(D) 

{xp)pev  ^  fpp 
p€V 

is  a  surjective  group  homomorphism.  Hence,  the  kernel  A  of  <j>  is  a  sublattice 
of  Zn,  and  we  have 

Zn/A  ~  Cl{D)  and  |  det(A)|  =  h(D), 

denoting  by  det(A)  the  determinant  of  any  Z-basis  of  A.  The  lattice  A  is  the 
lattice  of  relations  among  the  fp.  If  one  finds  any  system  of  n  independent 
elements  in  this  lattice,  it  is  clear  that  the  determinant  of  this  system  will 
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be  a  multiple  of  the  determinant  of  A,  hence  of  h{D).  This  is  how  we  obtain 
multiples  of  the  class  number. 

Now  there  remains  the  question  of  obtaining  (many)  relations  between  the 
fp.  To  do  this,  one  uses  the  following  lemma: 

Lemma  5.5.1.  Let  (a,b,c)  be  a  primitive  positive  definite  quadratic  form  of 
discriminant  D  <  0,  and  a  =  \[ppVp  be  the  prime  decomposition  of  a.  Then 
we  have  up  to  equivalence: 

(a,b,c)  =Y[fppVp, 

p 

where  fp  =  ( p,bp,cp )  is  the  prime  form  corresponding  to  p,  and  tp  =  ±1  is 
defined  by  the  congruence 


b  =  epbp  (mod  2 p). 


In  fact,  all  the  possible  choices  for  the  ep  correspond  exactly  to  the  possible 
square  roots  b  of  D  mod  4a,  with  b  defined  modulo  2a. 

Proof.  This  lemma  follows  immediately  from  the  raw  formulas  for  composition 
that  we  have  given  in  Section  5.4.2.  In  terms  of  ideals,  using  the  correspon¬ 
dence  given  by  Theorem  5.2.8,  if  I  =  i>Fi(f),  the  factorization  of  a  =  jV(/) 
corresponds  to  a  factorization  I  =  n  VVp  where  p  is  an  ideal  above  p2>K ,  and 
ep  must  be  chosen  as  stated  so  that  p  D  I.  □ 

This  leads  immediately  to  the  following  idea  for  generating  relations  in  A: 
choose  random  integer  exponents  ep,  and  compute  the  reduced  form  ( a,b,c ) 
equivalent  to  YlPev  fpP •  ^  ad  the  factors  of  a  are  in  V,  we  keep  the  form 
(a,6,c),  otherwise  we  take  other  random  exponents.  If  the  form  is  kept,  we 
will  have  the  relation 

II  fp’’~’rVr  = 

p€V 

giving  the  element 

(ep  CpVp^pfi'p  €  A  C  Z  . 

Continuing  in  this  way,  one  may  reasonably  hope  to  generate  A  if  V  has 
been  chosen  large  enough,  and  this  is  indeed  what  one  proves,  under  suitable 
hypotheses. 

The  crucial  point  is  the  choice  of  V.  We  will  take 


for  a  suitable  P,  but  one  must  see  how  large  this  P  must  be  to  optimize  the 
algorithm.  If  P  is  chosen  too  small,  numbers  a  produced  as  above  will  almost 
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never  factor  into  primes  less  than  P.  If  P  is  too  large,  then  the  factoring  time 
of  a  becomes  prohibitive,  as  does  the  memory  required  to  keep  all  the  relations 
and  the  fp.  To  find  the  right  compromise,  one  must  give  the  algorithm  in  much 
greater  detail  and  analyze  its  behavior.  This  is  done  in  [Haf-McCurl],  where 
it  is  shown  that  P  should  be  taken  of  the  order  of  L(|D|)a,  where  L(x)  is  a 
very  important  function  defined  by 

L(x)  =  evinxlnlnx, 

and  a  depends  on  the  particular  implementation,  one  possible  value  being 
l/\/8.  We  will  meet  this  very  important  function  L(x)  again  in  Chapter  10  in 
connection  with  modern  factoring  methods. 

In  addition  we  must  have  P  >  cln2|D|  so  that  (assuming  GRH)  the  classes 
of  prime  forms  fp  with  p  €  V  generate  the  class  group.  Unfortunately,  at 
present,  the  best  known  bound  for  the  constant  c,  due  to  Bach,  is  6,  although 
practical  experience  shows  that  this  is  much  too  pessimistic.  (In  fact  it  is 
believed  that  0(ln1+€  \D\)  generators  should  suffice  for  any  e  >  0).  Hence,  we 
will  choose 

P  =  max  (6 ln2|D|,  L(|T»|)1/v/®) . 

Note  that,  although  the  In  function  grows  asymptotically  much  more  slowly 
than  the  L(\D\)  function,  in  practice  the  constants  6  and  1/V&  will  make  the 
In2  term  dominate.  More  precisely,  the  L(\D\)  term  will  start  to  dominate  only 
for  discriminants  having  at  least  103  digits,  well  outside  the  range  of  practical 
applicability  of  this  method.  Even  if  one  could  reduce  the  constant  6  to  1 ,  the 
In2  term  would  still  dominate  for  numbers  having  up  to  70  digits. 

Let  n  be  the  number  of  p  G  V.  To  give  a  specific  numerical  example,  for 
D  of  the  order  of  — 1040,  with  the  above  formula  P  will  be  around  50900, 
and  n  around  2600,  while  if  D  is  of  the  order  of  — 1050,  P  will  be  around 
79500  and  n  around  3900.  Since  we  will  be  handling  determinants  ofnxn 
matrices,  many  problems  become  serious,  in  particular  the  storage  problems, 
though  they  are  perhaps  still  manageable.  In  any  case,  the  computational 
load  becomes  very  great.  In  particular,  for  matrices  of  this  size  it  is  essential 
to  use  special  techniques  adapted  to  the  type  of  matrices  which  we  have, 
i.e.  sparse  matrices.  Since  we  are  over  Z  and  not  over  a  field,  the  use  of  methods 
such  as  Wiedemann’s  coordinate  recurrence  method  (see  [Wie])  is  possible  only 
through  the  use  of  the  Chinese  remainder  theorem,  and  is  quite  painful.  An 
easier  approach  is  to  use  “intelligent  Hermite  reduction”,  analogous  to  the 
intelligent  Gaussian  elimination  technique  used  by  LaMacchia  and  Odlyzko 
(see  [LaM-Odl]).  This  method  has  been  implemented  by  Diillmann  ([Buc- 
Diil])  and  by  Cohen,  Diaz  y  Diaz  and  Olivier  ([CohDiOl]),  and  is  described 
below. 
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5.5.2  Detailed  Description  of  the  Algorithm 
We  first  make  a  few  remarks. 

The  first  important  remark  is  that  although  one  should  generate  random 
relations  using  Lemma  5.5.1,  one  may  hope  to  obtain  a  non-trivial  relation  as 
soon  as  flp VBp  >  y/\D |/3  since  the  resulting  form  obtained  by  multiplication 
without  reduction  will  not  be  reduced.  Hence,  instead  of  taking  the  whole  of 
V  to  compute  the  products,  we  take  a  much  smaller  subset  Vo  not  containing 
any  prime  dividing  D  and  such  that 

n  p>#p. 

pG'Po 

Then  Vo  will  be  very  small,  typically  of  cardinality  10  or  20,  even  for  dis¬ 
criminants  in  the  40  to  50  digit  range.  In  fact,  by  the  prime  number  theorem, 
the  cardinality  of  Vq  should  be  of  the  order  of  In  |D|/  lnln  \D\.  For  similar 
reasons,  although  the  exponents  ep  should  be  chosen  randomly  up  to  \D\  as 
McCurley’s  analysis  shows,  in  practice  it  suffices  to  take  very  small  random 
exponents,  say  1  <  ep  <  20. 

A  second  remark  is  that,  even  if  we  use  intelligent  Hermite  reduction  as 
will  be  described,  the  size  of  the  matrix  involved  will  be  very  large.  Hence, 
we  must  try  to  make  it  smaller  even  before  we  start  the  reduction.  One  way 
to  do  this  is  to  decide  to  take  a  lower  value  of  P,  say  one  corresponding  to 
the  constant  c  =  1  (i.e.  the  split  primes  of  norm  less  than  lnz|D|  instead  of 
61n2|D|).  This  would  probably  work,  but  even  under  the  GRH  the  result  may 
be  false  since  we  may  not  have  enough  generators.  There  is  however  one  way 
out  of  this.  For  every  prime  q  such  that  ln2|D|  <  q  <  61n2|D|,  let  gq  be  a 
reduced  form  equivalent  to  fq  ]~[pe.po  ^  w^h  small  random  exponents  ep  as 
before.  If  gq  =  (a,  b,  c),  then,  if  a  factors  over  our  factor  base  V,  since  q  is  quite 
large,  with  a  little  luck  after  a  few  trials  we  will  find  an  a  which  not  only  factors, 
but  whose  prime  factors  are  all  less  than  q.  This  means  that  fq  belongs  to  the 
subgroup  generated  by  the  other  /p’s,  hence  can  be  discarded  as  a  generator  of 
the  class  group.  Doing  this  for  all  the  q  >  In2  \D\  is  fast  and  does  not  involve 
any  matrix  handling,  and  in  effect  reduces  the  problem  to  taking  the  constant 
1  instead  of  6  in  the  definition  of  P,  giving  much  smaller  matrices.  Note  that 
the  constant  1  which  we  have  chosen  is  completely  arbitrary,  but  it  must  not 
be  chosen  too  small,  otherwise  it  will  become  very  difficult  to  eliminate  the 
big  primes  q.  In  practice,  values  between  0.5  and  2  seem  reasonable. 

These  kind  of  ideas  can  be  pushed  further.  Instead  of  taking  products 
using  only  powers  of  forms  fp  with  p  e  V o,  we  can  systematically  multiply 
such  a  relation  by  a  prime  q  larger  than  the  ones  in  Vo,  with  the  hope  that 
this  extra  prime  will  still  occur  non-trivially  in  the  resulting  relation. 

A  third  remark  is  that  ambiguous  forms  (i.e.  whose  square  is  principal) 
have  to  be  treated  specially  in  the  factor  base,  since  only  the  parity  of  the 
exponents  will  count.  (This  is  why  we  have  excluded  primes  dividing  D  in 
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Vo.)  In  fact,  it  would  be  better  to  add  the  free  relations  fp  =  1  for  all  p  €  V 
dividing  D.  On  the  other  hand,  when  D  is  not  a  fundamental  discriminant, 
one  must  exclude  from  V  the  primes  p  dividing  D  to  a  power  higher  than  the 
first  (except  for  p  =  2  which  one  keeps  if  Df  4  is  congruent  to  2  or  3  modulo 
4).  For  our  present  exposition,  such  primes  will  be  called  bad,  the  others  good. 


Algorithm  5.5.2  (Sub-Exponential  Imaginary  Class  Group).  If  D  <  0  is 
a  discriminant,  this  algorithm  computes  the  class  number  h(D )  and  the  class 
group  Cl(D).  As  before,  in  practice  we  work  with  binary  quadratic  forms.  We 
also  choose  a  positive  real  constant  b. 

1.  [Compute  primes  and  Euler  product]  Set  m  *—  Mn2|D|,  M  <—  L{\D\)lf^ , 
P  <—  [max(m,  M) J 

V  <—  |p  <  P,  ^  —  1  and  p  good | 
and  compute  the  product 


B 


2.  [Compute  prime  forms]  Let  Vo  be  the  set  made  up  of  the  smallest  primes 
of  V  not  dividing  D  such  that  \\p^pQp  >  ^\D\/3.  For  the  primes  p  €  V 
do  the  following.  Compute  bp  such  that  bp  =  D  (mod  4p)  using  Algorithm 
1.5.1  (and  modifying  the  result  to  get  the  correct  parity).  If  bp  >  p,  set 
bp  <—  2p  -  bp.  Set  fp  «-  (p,  bp,  ( bp  -  D)/(4p)).  Finally,  let  n  be  the  number 
of  primes  p  G  V. 

3.  [Compute  powers]  For  each  p  e  Vo  and  each  integer  e  such  that  1  <  e  <  20 
compute  and  store  the  unique  reduced  form  equivalent  to  fp.  Set  k  *—  0. 

4.  [Generate  random  relations]  Let  fq  be  the  primeform  number  k  +  1  mod  n 
in  the  factor  base.  Choose  random  ep  between  1  and  20,  and  compute  the 
unique  reduced  form  ( a,b,c )  equivalent  to 

fi  n  fpr 

p€Vo 

until  vq(a )  ^  1  (note  that  the  fpp  have  already  been  computed  in  step  3). 
Set  ep  <—  0  if  p  £  Vo  then  eq  <—  eq  +  1. 

5.  [Factor  a]  Factor  a  using  trial  division.  If  a  prime  factor  of  a  is  larger  than  P,  do 
not  continue  the  factorization  and  go  to  step  4.  Otherwise,  if  a  =  np<pPupi 
set  k  <—  k  +  1,  and  for  i  <  n 
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where  ePi  =  +1  if  ( b  mod  2 pi)  <  Pi,  ePi  =  —  1  otherwise. 

6.  [Enough  relations?]  If  k  <  n  -f  10  go  to  step  4. 

7.  [Be  honest]  For  each  prime  q  such  that  P  <  q  <  61n2|.D|  do  the  follow¬ 
ing.  Choose  random  ep  between  1  and  20  (say)  and  compute  the  primeform 
fq  corresponding  to  q  and  the  unique  reduced  form  (a,  6,c)  equivalent  to 
fq  ripe-Po  fpP •  ^  a  does  not  factor  into  primes  less  than  q,  choose  other  ex¬ 
ponents  ep  and  continue  until  a  factors  into  such  primes.  Then  go  on  to  the 
next  prime  q  until  the  list  is  exhausted. 

8.  [Simple  HNF]  Perform  a  preliminary  simple  Hermite  reduction  on  the  n  x  k 
matrix  A  =  (ajj)  as  described  below,  thus  obtaining  a  much  smaller  matrix 
A\. 

9.  [Compute  determinant]  Using  standard  Gaussian  elimination  techniques,  com¬ 
pute  the  determinant  of  the  lattice  generated  by  the  columns  of  the  matrix  A\ 
modulo  small  primes  p.  Then  compute  the  determinant  d  exactly  using  the 
Chinese  remainder  theorem  and  Hadamard's  inequality  (see  also  Exercise  13). 
If  the  matrix  is  not  of  rank  equal  to  its  number  of  rows,  get  5  more  relations 
(in  steps  4  and  5)  and  go  to  step  8. 

10.  [HNF  reduction]  Using  Algorithm  2.4.8  compute  the  Hermite  normal  form 
H  =  ( hitj )  of  the  matrix  A\  using  modulo  d  techniques.  Then,  for  every  i 
such  that  hiti  =  1,  suppress  row  and  column  i.  Let  W  be  the  resulting  matrix. 

11.  [Finished?]  Let  h  <—  det(W)  (i.e.  the  product  of  the  diagonal  elements).  If 
h  >  B\/ 2,  get  5  more  relations  (in  steps  4  and  5)  and  go  to  step  8.  (It  will 
not  be  necessary  to  recompute  the  whole  HNF,  but  only  to  take  into  account 
the  last  5  columns.)  Otherwise,  output  h  as  the  class  number. 

12.  [Class  group]  Compute  the  Smith  normal  form  of  W  using  Algorithm  2.4.14. 
Output  those  diagonal  elements  di  which  are  greater  than  1  as  the  invariants 
of  the  class  group  (i.e.  Cl(D)  =  0Z/djZ)  and  terminate  the  algorithm. 

Implementation  Remarks. 

(1)  The  constant  b  used  in  step  1  is  important  mainly  to  control  the  size  of 
the  final  matrix  A  on  which  we  are  going  to  work.  As  mentioned  above 
however,  b  must  not  be  chosen  too  small,  otherwise  we  will  have  a  lot  of 
trouble  in  the  factoring  stages.  Practice  shows  that  values  between  0.5  and 
2.0  are  quite  reasonable. 

With  such  a  choice  of  6,  we  could  of  course  avoid  step  7  entirely  since  it 
seems  highly  implausible  that  the  class  group  is  not  generated  by  the  first 
0.51n2|£)|  primeforms.  Including  step  7,  however,  makes  the  correctness 
of  the  result  depend  only  on  the  GRH  and  nothing  else.  Note  also  that 
strictly  speaking  the  above  algorithm  could  run  indefinitely,  either  because 
it  does  not  find  enough  relations,  or  because  the  condition  of  step  7  is  never 
satisfied  for  some  prime  q.  In  practice  this  never  occurs. 

(2)  The  simple  Hermite  reduction  which  is  needed  in  step  8  is  the  following. 
We  first  scan  all  the  rows  of  the  n  x  k  matrix  A  to  detect  if  some  have  a 
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single  ±1,  the  other  coefficients  being  equal  to  zero.  If  this  is  the  case  and 
we  find  that  dij  =  ±1  is  the  only  non-zero  element  of  its  row,  we  exchange 
rows  i  and  n  and  columns  j  and  k,  and  scan  the  matrix  formed  by  the 
first  n  —  1  rows  and  k  —  1  columns.  We  continue  in  this  way  until  no  such 
rows  are  found.  We  are  now  reduced  to  the  study  of  a  (n  —  s)  x  (k  —  s ) 
matrix  A! ,  where  s  is  the  number  of  rows  found. 

In  the  second  stage,  we  scan  A'  for  rows  having  only  0  and  ±1.  In 
this  case,  simple  arithmetic  is  needed  to  eliminate  the  ±1  as  one  does  in 
ordinary  HNF  reduction,  and,  in  particular,  one  may  hope  to  work  entirely 
with  ordinary  (as  opposed  to  multi-precision)  integers.  The  second  stage 
ends  when  either  all  rows  have  been  scanned,  or  if  a  coefficient  exceeds 
half  the  maximal  possible  value  for  ordinary  integers. 

In  a  third  and  last  stage  before  starting  the  modulo  d  HNF  reduc¬ 
tion  of  step  10,  we  can  proceed  as  follows  (see  [Buc-Dul]).  We  apply  the 
ordinary  HNF  reduction  Algorithm  2.4.5  keeping  track  of  the  size  of  the 
coefficients  which  are  encountered.  In  this  manner,  we  Hermite-reduce  a 
few  rows  (corresponding  to  the  index  j  in  Algorithm  2.4.5)  until  some  co¬ 
efficient  becomes  in  absolute  value  larger  than  a  given  bound  (for  example 
as  soon  as  a  coefficient  does  not  fit  inside  a  single-precision  number).  If  the 
first  non-Hermite-reduced  row  has  index  j,  we  use  the  MLLL  Algorithm 
2.6.8  or  an  all-integer  version  on  the  matrix  formed  by  the  first  j  rows. 
The  effect  of  this  will  be  to  decrease  the  size  of  the  coefficients,  and  since 
as  in  Her  mite  reduction  only  column  operations  are  involved,  the  LLL  re¬ 
duction  is  allowed.  We  now  start  again  Hermite-reducing  a  few  rows  using 
Algorithm  2.4.5,  and  we  continue  until  either  the  matrix  is  completely 
reduced,  or  until  the  LLL  reduction  no  longer  improves  matters  (i.e.  the 
partial  Hermite  reduction  reduced  no  row  at  all). 

After  these  reductions  are  performed,  practical  experience  shows  that 
the  size  of  the  matrix  will  have  been  considerably  reduced,  and  this  is 
essential  since  otherwise  the  HNF  reduction  would  have  to  be  performed 
on  matrices  having  up  to  several  thousand  rows  and  columns,  and  this  is 
almost  impossible  in  practice. 

(3)  If  Hermite  reduction  is  performed  carefully  as  described  above,  by  far  the 
most  costly  part  of  the  algorithm  is  the  search  for  relations.  This  part  can 
be  considerably  improved  by  using  the  large  prime  variation  idea  common 
to  many  modern  factoring  methods  (see  Remark  (2)  in  Section  10.1)  as 
follows.  In  step  5,  all  a  with  a  prime  factor  greater  than  P  will  be  rejected. 
But  assume  that  all  prime  factors  of  a  are  less  than  or  equal  to  P,  except 
one  prime  factor  pa  which  is  larger.  The  corresponding  quadratic  form  can¬ 
not  be  used  directly  without  increasing  the  value  of  P.  But  assume  that  for 
two  values  of  a,  i.e.  for  two  quadratic  forms  /  =  (a,  6,  c)  and  g  =  (a'  ,b',  c'), 
the  large  prime  pa  is  the  same.  Then  either  the  form  fg~l  or  the  form 
fg  (depending  on  whether  b1  =  b  (mod  pa)  or  not)  will  give  us  a  relation 
in  which  no  primes  larger  than  P  will  occur,  hence  a  useful  relation.  The 
coincidence  of  two  values  of  pa  will  not  be  a  rare  phenomenon,  and  for 
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large  discriminants  the  improvement  will  be  considerable.  See  Exercise  14 
for  some  hints  on  how  to  implement  the  large  prime  variation. 

(4)  Note  that  the  ‘10’  and  ‘5’  which  occur  in  the  algorithm  are  quite  arbitrary, 
but  are  usually  sufficient  in  practice.  Note  also  that  the  correctness  of  the 
result  is  guaranteed  only  if  one  assumes  GRH.  Hence,  this  is  a  conditional 
algorithm,  but  in  a  much  more  precise  sense  than  Algorithm  5.4.10. 

(5)  In  step  5,  we  need  to  factor  a  using  trial  division.  Now  a  can  be  as  large 
as  yJ\D\/ 3,  hence  a  may  have  more  than  20  digits  in  the  region  we  are 
aiming  for,  and  factoring  by  trial  division  may  seem  too  costly.  We  have 
seen  however  that  M  is  a  few  thousand  at  most  in  this  region,  so  using 
trial  divisors  up  to  M  is  reasonable.  We  can  improve  on  this  by  using  the 
early  abort  strategy  which  will  be  explained  in  Chapter  10. 

(6)  Step  9  requires  computing  a  determinant  using  the  Chinese  remainder 
theorem  (although  as  seen  in  Exercise  13  we  can  also  compute  it  directly) . 
This  means  that  we  first  compute  it  modulo  sufficiently  many  small  primes. 
Then,  by  using  the  Chinese  remainder  Algorithm  1.3.12,  we  can  obtain 
it  modulo  the  product  of  these  primes.  Finally,  Hadamard’s  inequality 
(Proposition  2.2.4)  gives  us  an  upper  bound  on  the  result.  Hence,  if  the 
product  of  our  primes  is  greater  than  twice  this  upper  bound,  we  find  the 
value  of  the  determinant  exactly.  We  have  already  mentioned  this  method 
in  Section  4.3  for  computing  norms  of  algebraic  integers. 

The  Hadamard  bound  may,  however,  be  extremely  large,  and  in  that 
case  it  is  preferable  to  proceed  as  follows.  We  take  many  more  extra  rela¬ 
tions  than  needed  (say  100  instead  of  10)  and  we  must  assume  that  we  will 
obtain  the  class  number  itself  and  not  a  multiple  of  it.  Then  the  quantity 
By/ 2  is  an  upper  bound  for  the  determinant  and  can  be  used  instead  of 
the  Hadamard  bound.  Once  the  class  group  is  obtained,  we  must  then 
check  that  it  is  correct,  and  this  can  be  done  without  too  much  difficulty 
(or  we  can  stop  and  assume  that  the  result  is  correct). 

(7)  Finally,  the  main  point  of  this  method  is,  of  course,  its  speed  since  under 
reasonable  hypotheses  one  can  prove  that  the  expected  asymptotic  average 
running  time  is 

0{L(\D\r) 

with  a  =  y/2,  and  perhaps  even  a  =  i/9/8.  This  is  much  faster  than 
any  of  the  preceding  methods.  Furthermore,  it  can  be  hoped  that  one  can 
bring  down  the  constant  a  to  1.  This  seems  to  be  the  limit  of  what  one 
can  expect  to  achieve  on  the  subject  for  the  following  reason.  Many  fast 
factoring  methods  are  known,  using  very  different  methods.  To  mention 
just  a  few,  there  is  one  using  the  2-Sylow  subgroup  of  the  class  group, 
one  using  elliptic  curves  (ECM),  and  a  sieve  type  method  (MPQS).  All 
these  methods  have  a  common  expected  running  time  of  the  order  of 
0(L(N)).  In  1989,  the  discovery  of  the  number  field  sieve  lowered  this 
running  time  to  0(eln^^  /3+£)  (see  Qijapter  io),  but  this  becomes  better 
than  the  preceding  methods  for  special  numbers  having  more  than  100 
digits,  and  for  general  numbers  having  more  than  (perhaps)  130  digits, 
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hence  does  not  concern  us  here.  Since  computing  the  class  group  is  at 
least  as  difficult  as  factoring,  one  cannot  expect  to  find  a  significantly  faster 
method  than  McCurley’s  algorithm  without  fundamentally  new  ideas.  It  is 
plausible,  however,  that  using  ideas  from  the  number  field  sieve  would  give 
an  0(ein(iV)  )  algorithm,  but  nobody  knows  how  to  do  this  at  the  time 
of  this  writing.  In  practice,  using  Section  6.5,  we  may  speedup  Algorithm 
5.5.2  by  finding  some  of  the  relations  using  the  basic  number  field  sieve 
idea  (see  remark  (3)  after  Algorithm  6.5.9). 


5.5.3  Atkin’s  Variant 

A  variant  of  the  above  algorithm  has  been  proposed  by  Atkin.  It  has  the 
advantage  of  being  faster,  but  the  disadvantage  of  not  always  giving  the  class 
group.  Atkin’s  idea  is  as  follows. 

Instead  of  taking  Pq,  which  is  already  a  small  subset  of  the  factor  base  of 
prime  forms,  to  generate  the  relations,  we  choose  a  single  form  f.  Of  course, 
there  is  now  no  reason  for  /  to  generate  the  class  group,  but  at  least  when 
the  discriminant  is  prime  this  often  happens,  as  tables  and  the  heuristics  of 
[Coh-Lenl]  show  (see  Section  5.10). 

We  then  determine  the  order  of  /  in  the  class  group,  using  a  method 
which  is  more  efficient  than  the  baby-step  giant-step  Algorithm  5.4.1  for  large 
discriminants,  since  it  is  also  a  sub-exponential  algorithm.  The  improvement 
comes,  as  in  McCurley’s  algorithm,  from  the  use  of  a  factor  base.  (The  phi¬ 
losophy  being  that  any  number-theoretic  algorithm  which  can  be  made  to 
efficiently  use  factor  bases  automatically  becomes  sub-exponential  thanks  to 
the  theorem  of  Canfield-Erdos-Pomerance  10.2.1  that  we  will  see  in  Chapter 
10.) 

To  compute  the  order  of  /,  we  start  with  the  same  two  steps  as  Algorithm 
5.5.2.  In  particular,  we  set  n  equal  to  the  number  of  primeforms  in  our  factor 
base. 

We  now  compute  the  reduced  forms  equivalent  to  /,  /2,  /3,  ...  For  each 
such  form  (o,  b,  c)  we  execute  step  5  of  Algorithm  5.5.2,  i.e.  we  check  whether 
the  form  factors  on  our  factor  base,  and  if  it  does,  we  keep  the  corresponding 
relation. 

We  continue  in  this  way  until  exactly  n  +  1  relations  have  been  obtained, 
i.e.  one  more  than  the  cardinality  of  the  factor  base.  Let  ei,  e2,  . . .  ,  en+i  be 
the  exponents  of  /  for  which  we  have  obtained  a  relation.  Since  we  have  now 
an  n  x  (n  +  1)  matrix  with  integral  entries,  there  exists  a  non-trivial  linear 
relation  between  the  columns  with  integral  coefficients,  and  this  relation  can 
be  obtained  by  simple  linear  algebra,  not  by  using  number-theoretic  methods 
such  as  Hermite  normal  form  computations  which  are  much  slower.  We  can 
for  example  use  a  special  case  of  Algorithm  2.3.1. 

Now,  if  Ci  is  column  number  i  of  our  matrix,  for  1  <  i  <  n  4-  1,  and  if  X* 
are  the  coefficients  of  our  relation,  so  that  ]Ci<i<n+i  xi^i  =  then  clearly 
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fN  =  1  ,  where  N  =  . 


This  is  exactly  the  kind  of  relation  that  one  obtains  by  using  the  baby-step 
giant-step  method,  but  the  running  time  can  be  shown  to  be  sub-exponential 
as  in  McCurley’s  algorithm. 

The  relation  may  of  course  be  trivial,  i.e.  we  may  have  N  =  0.  This 
happens  rarely  however.  Furthermore,  if  it  does  happen,  we  may  have  at  our 
disposal  more  independent  relations  between  the  columns  of  our  n  x  (n  +  1) 
matrix,  which  are  also  given  by  Algorithm  2.3.1.  If  not,  we  take  higher  powers 
of  /  until  we  obtain  a  non-trivial  relation. 

As  soon  as  we  have  a  non-zero  N  such  that  fN  =  1,  we  can  compute  the 
exact  order  of  /  in  the  class  group  as  in  Algorithm  5.4.1,  after  having  factored 
N.  Of  course,  this  factorization  may  not  be  easy,  but  N  is  probably  of  similar 
size  as  the  class  number,  hence  about  y/\D\,  so  even  if  D  has  60  digits,  we 
probably  will  have  to  factor  a  number  having  around  30  digits,  which  is  not 
too  difficult. 

If  e  is  the  exact  order  of  /,  we  know  that  e  divides  the  class  number.  If  e 
already  satisfies  the  lower  bound  inequalities  given  by  the  Euler  product,  that 
is  if 


e  > 


1  V\D\ 

\/2  7T 


n  i 


P<p 


then  assuming  GRH,  we  must  have  e  =  h(D),  and  the  class  group  is  cyclic 
and  generated  by  /.  When  it  applies,  this  gives  a  faster  method  to  compute 
the  class  number  and  class  group  than  McCurley’s  algorithm.  If  the  inequality 
is  not  satisfied,  we  can  proceed  with  another  form,  as  in  Algorithm  5.4.1.  The 
details  are  left  to  the  reader. 

Note  that  according  to  tables  and  the  heuristic  conjectures  of  [Coh-Lenl] 
(see  Section  5.10),  the  odd  part  of  the  class  group  should  very  often  be  cyclic 
(probability  greater  than  97%).  Hence,  if  the  discriminant  D  is  prime,  so  that 
the  class  number  is  odd,  there  is  a  very  good  chance  that  Cl{D)  is  cyclic. 
Furthermore,  the  number  of  generators  of  a  cyclic  group  with  h  elements  is 
4>{h),  and  this  is  also  quite  large,  so  there  is  a  good  chance  that  our  randomly 
chosen  /  will  generate  the  class  group. 

The  implementation  details  of  Atkin’s  algorithm  are  left  to  the  reader  (see 
Exercise  15). 
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5.6  Class  Groups  of  Real  Quadratic  Fields 

We  now  consider  the  problem  of  computing  the  class  group  and  the  regulator 
of  a  real  quadratic  field  K  =  Q(\/D),  and  more  generally  of  the  unique  real 
quadratic  order  of  discriminant  D.  We  will  consider  the  problem  of  computing 
the  regulator  in  Section  5.7,  so  we  assume  that  we  already  have  computed  the 
regulator  which  we  will  denote  by  R(D). 


5.6.1  Computing  Class  Numbers  Using  Reduced  Forms 

Thanks  to  Theorem  5.2.9,  we  still  have  a  correspondence  between  the  narrow 
ideal  class  group  and  equivalence  classes  of  quadratic  forms  of  the  same  dis¬ 
criminant  D.  It  is  not  difficult  to  have  a  correspondence  with  the  ideal  class 
group  itself. 


Proposition  5.6.1.  If  D  is  a  non-square  positive  integer  congruent  to  0  or 
1  modulo  4,  the  maps  'ipFi  and  4>if  of  Theorem  5.2.9  induce  inverse  isomor¬ 
phisms  between  Cl(D)  and  the  quotient  set  of  ^(D)  obtained  by  identifying 
the  class  of(a,b,c)  with  the  class  of  (—a,b,—c). 

The  proof  is  easy  and  left  to  the  reader  (Exercise  18) . 

The  big  difference  between  forms  of  negative  and  positive  discriminant 
however  is  that,  although  one  can  define  the  notion  of  a  reduced  form  (differ¬ 
ently  from  the  negative  case),  there  will  in  general  not  exist  only  one  reduced 
form  per  equivalence  class,  but  several,  which  are  naturally  organized  in  a 
cycle  structure. 


Definition  5.6.2.  Let  f  =  (a,  b,  c)  be  a  quadratic  form  with  positive  discrim¬ 
inant  D.  We  say  that  f  is  reduced  if  we  have 


—  2\a\  <  b  <y/D. 


The  justification  for  this  definition,  as  well  as  for  the  definition  in  the  case 
of  negative  discriminants,  is  given  in  Exercise  16. 

Note  immediately  the  following  proposition. 


Proposition  5.6.3.  Let  (a,  b,  c)  be  a  quadratic  form  with  positive  discrim¬ 
inant  D.  Then 


(1)  If  (a,b,c)  is  reduced,  then  |a|,  b  and  \c\  are  less  than  \f~D  and  a  and  c 
are  of  opposite  signs. 

(2)  More  precisely,  if  (a,  6,  c)  is  reduced,  we  have  |a|  +  |c|  <  y/D . 

(3)  Finally,  (a,  6,  c)  is  reduced  if  and  only  if  |\/Z)  —  2|c|  <  b  <  y/D. 
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Proof.  The  result  for  b  is  trivial,  and  since  ac  =  ( b 2  —  T>)/4  <  0  it  is  clear  that 
a  and  c  are  of  opposite  signs.  Now  we  have 


a|  +  |c|  —  VD  = 


D  —  4\a\y/D  +  4a2  —  b2 
4|a| 


(y/D  —  2|a|)2  —  b2 

iR 


hence  by  definition  of  reduced  we  have  |a|  -|-  |c|  —  <C  0,  which  implies  (2) 
and  hence  (1). 

To  prove  (3),  we  note  that  we  have  the  identity 

2\c\-VD=i'/B-W-a2-b\ 

2\a\ 

hence  if  e  =  ±1,  we  have 


6  -  e(2|c|  -  Vd)  =  (v^  +  ^Xfr  +  ^M-V^)) 

2|a| 

which  is  positive  by  definition.  Since  a  and  c  play  symmetrical  roles,  this 
proves  (3)  and  hence  the  proposition.  □ 


If  r  =  (-6  +  \/5)/(2|a|)  is  the  quadratic  number  associated  to  the  form 
(a,  b,  c)  as  in  Section  5.2,  it  is  not  difficult  to  show  that  (a,  b,  c)  is  reduced  if 
and  only  if  0  <  r  <  1  and  —cr(r)  >  1. 

We  now  need  a  reduction  algorithm  on  quadratic  forms  of  positive  dis¬ 
criminant.  It  is  useful  to  give  a  preliminary  definition: 


Definition  5.6.4.  Let  D  >  0  be  a  discriminant.  If  0  and  b  are  integers, 
we  define  r(b ,  a)  to  be  the  unique  integer  r  such  that  r  =  b  (mod  2a)  and 
— |a|  <  r  <  |a|  if  |a|  >  \[D,  \[D  —  2|a|  <  r  <  y[D  if  |a|  <  VD.  In  addition, 
we  define  the  reduction  operator  p  on  quadratic  forms  (a,  6,  c)  of  discriminant 
D  >  0  by 


p{a,b,c)  =  (c,r(—b,  c),  — — - —  Y 


The  reduction  algorithm  is  then  simply  as  follows. 

Algorithm  5.6.5  (Reduction  of  Indefinite  Quadratic  Forms).  Given  a  qua¬ 
dratic  form  /  =  ( a,b,c )  with  positive  discriminant  D,  this  algorithm  finds  a 
reduced  form  equivalent  to  /. 

1.  [Iterate]  If  (a,6,c)  is  reduced,  output  (a,  6,  c)  and  terminate  the  algorithm. 
Otherwise,  set  (a,  6,  c)  <—  p(a,b,c )  and  go  to  step  1. 

We  must  show  that  this  algorithm  indeed  produces  a  reduced  form  after 
a  finite  number  of  iterations.  In  fact,  we  have  the  following  stronger  result: 
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Proposition  5.6.6. 

(1)  The  number  of  iterations  of  p  which  are  necessary  to  reduce  a  form  (a,  b,  c) 
is  at  most  2+  [lg(|c|/\/D)] . 

(2)  If  f  =  (a,  b,  c )  is  a  reduced  form,  then  p(a,  b,  c)  is  again  a  reduced  form. 

(3)  The  reduced  forms  equivalent  to  f  are  exactly  the  forms  pn{f),  for  n  suf¬ 
ficiently  large  ( i.e .  n  greater  than  or  equal  to  the  least  no  such  that  pn°{f) 
is  reduced)  and  are  finite  in  number. 


Proof.  The  proof  of  (1)  is  similar  in  nature  to  that  of  Proposition  5.4.3.  Set 
p(f)  =  (a' ,b' ,c').  I  first  claim  that  if  |c|  >  y[D  then  |c'|  <  |c|/2.  Indeed,  in 
that  case  \r(— b,  c)|  <  |c|,  hence 


\r(—b,c)2  —  D\  ^  2 c2  | c 

4 jcj  “  4jc|  “  T 


since  D  <  c2.  So,  after  at  most  [lg(|c|/v(D)]  iterations,  we  will  end  up  with 
a  form  where  |c|  <  y/~D.  As  in  the  imaginary  case  one  can  then  check  that 
the  form  is  almost  reduced,  in  the  sense  that  after  another  iteration  of  p  we 
will  have  |a|,  |6|  and  |c|  less  than  y/D,  and  then  either  the  form  is  reduced,  or 
it  will  be  after  one  extra  iteration.  The  details  are  left  as  an  exercise  for  the 
reader. 

For  (2),  note  that  if  (a,  b,  c)  is  reduced,  then 


r(—b,  c)  =-b  +  2\c\ 


b  +  y/D 
2|c| 


since  this  is  clearly  in  the  interval  [y/D  —  2\c\,y/D\.  If  \c\  <  y/D/ 2,  this  implies 
that  p(a,b,c )  is  reduced  by  definition.  If  |c|  >  y/D/  2,  it  is  clear  that 

r(-b,c )  =  —b  +  2\c\  >  2\c\  -  y/D  =  \VD  -  2\c\\ , 

proving  again  that  p(a,  b ,  c)  is  reduced. 

Finally,  to  prove  (3),  set  a(a,b,c)  =  ( c,b,a ).  Using  again  Proposition 
5.6.3  (3),  it  is  clear  that  a  is  an  involution  on  reduced  forms.  Furthermore, 
one  checks  immediately  that  pa  and  ap  are  both  involutions  on  the  set  of 
reduced  forms,  thus  proving  that  p  is  a  permutation  of  this  set,  the  inverse  of 
p  being  p~1  =  a  pa. 

Another  way  to  see  this  is  to  check  directly  that  the  inverse  of  p  on  reduced 
forms  is  given  explicitly  by 

-i,  ,  x  fr(-b,a)2-D  .  ,  ,  \ 

p  ( a,b,c)  =  i - — - ,r(-6,a),aj, 


and  p-1  can  be  used  instead  of  p  to  reduce  a  form,  although  one  must  take 
care  that  for  non- reduced  forms,  it  will  not  be  the  inverse  of  p  since  p  is  not 
one-to-one.  □ 
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We  can  summarize  Proposition  5.6.6  by  saying  that  if  we  start  with  any 
form  /,  the  sequence  pn(f )  is  ultimately  periodic,  and  we  arrive  inside  the 
period  exactly  when  the  form  is  reduced. 

Finally,  note  that  it  follows  from  Proposition  5.6.3  that  the  set  of  reduced 
forms  of  discriminant  D  has  cardinality  at  most  D  (the  possible  number  of 
pairs  (a,  b )),  but  a  closer  analysis  shows  that  its  cardinality  is  0(D1^2  ln£)). 

It  follows  from  the  above  discussion  and  results  that  in  every  equivalence 
class  of  quadratic  forms  of  discriminant  D  >  0,  there  is  not  only  one  reduced 
form,  but  a  cycle  of  reduced  forms  (cycling  under  the  operation  p),  and  so  the 
class  number  is  the  number  of  such  cycles. 

It  is  not  necessary  to  formally  write  an  algorithm  analogous  to  Algorithm 
5.3.5  for  computing  the  class  number  using  reduced  forms.  We  make  a  list 
of  all  the  reduced  forms  of  discriminant  D  by  testing  among  all  pairs  (a,  b) 
such  that  jaj  <  VD,  | V~D  —  2|a||  <  b  <  VD  and  b  =  D  (mod  2),  those  for 
which  b2  —  D  is  divisible  by  4 a.  Then  we  count  the  number  of  orbits  under 
the  permutation  p,  and  the  result  is  the  narrow  class  number  h+(D).  If,  in 
addition,  we  identify  the  forms  (a,6,c)  and  (-a,  b,  —  c),  then,  according  to 
Proposition  5.6.1  we  obtain  the  class  number  h(D)  itself. 

As  for  Algorithm  5.3.5,  this  is  an  algorithm  with  O(D)  execution  time,  so 
is  feasible  only  for  discriminants  up  to  106,  say.  Hence,  as  in  the  imaginary 
case,  it  is  necessary  to  find  better  methods. 

For  future  reference,  let  us  determine  the  exact  correspondence  between 
the  action  of  p  and  the  continued  fraction  expansion  of  a  quadratic  irrational¬ 
ity. 

In  Section  5.2  we  have  defined  maps  <ppi  and  <j>iQ,  and  by  composition, 
Theorem  5.2.4  tells  us  that  the  map  (j)pQ  from  I  to  Q  x  Z/2Z  defined  by 

-b  +  VD 

2\a\ 

is  an  isomorphism.  (Note  the  absolute  value  of  a,  coming  from  the  necessity 
of  choosing  an  oriented  basis  for  our  ideals.) 

From  this,  one  checks  immediately  that  if  /  =  (a,  6,  c)  is  reduced,  and  if 
</>fq(/)  =  (t,  s),  then 


,  sign(a) 


<f>FQ{a,b,c )  = 


<f>FQ{p{f))  = 


where  by  abuse  of  notation  we  still  use  the  notation  4>fq  for  the  map  at  the 
level  of  forms  and  not  at  the  level  of  classes  of  forms  modulo  Too. 

For  p-1  we  define 


b  +  VD 
2|a| 


,  sign(a) 


FQ(CL,b,C )  = 
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Then,  if  /  =  (a,  b,  c)  is  reduced  and  V'fqC/)  =  (t',  s),  we  have 

'l>FQ(p~1(f))= 

Thus  the  action  of  p  and  p~l  on  reduced  forms  correspond  exactly  to 
the  continued  fraction  expansion  of  r  and  r'  =—  cr(r)  respectively,  with  in 
addition  a  ±1  variable  which  gives  the  parity  of  the  number  of  reduction  steps. 

In  addition,  since  p  and  p~l  are  inverse  maps  on  reduced  forms,  we  obtain 
as  a  corollary  of  Proposition  5.6.6  the  following. 

Corollary  5.6.7.  Let  r  =  (— b  +  y/~D)/(2\a\)  corresponding  to  a  reduced 
quadratic  form  (a,  b,  c) .  Then  the  continued  fraction  expansion  of  r  is  purely 
periodic,  and  the  period  of  the  continued  fraction  expansion  of  — <t(t)  = 
(b  +  V5)/(2|a|)  is  the  reverse  of  that  of  r. 


5.6.2  Computing  Class  Numbers  Using  Analytic  Formulas 

We  will  follow  closely  Section  5.3.3.  The  definition  of  Ld{s )  is  the  same,  but 
the  functional  equation  is  slightly  different: 

Proposition  5.6.8.  Let  D  be  a  positive  fundamental  discriminant,  and  define 


Ld{s)  =  £ 

n>  1 


n 


—s 


This  series  converges  for  Re(s)  >  1,  and  defines  an  analytic  function  which 
can  be  analytically  continued  to  the  whole  complex  plane  to  an  entire  function 
satisfying 

Ad(1  —  s)  =  A  d(s), 


where  we  have  set 


Note  that  the  special  case  D  =  1  of  this  proposition  (which  is  excluded 
since  it  is  not  the  discriminant  of  a  quadratic  field)  is  still  true  if  one  adds 
the  fact  that  the  function  has  a  simple  pole  at  s  =  1.  In  that  case,  we  simply 
recover  the  usual  functional  equation  of  the  Riemann  zeta  function.  The  link 
with  the  class  number  and  the  regulator  is  as  follows.  (Recall  that  the  regulator 
R{D)  is  in  our  case  the  logarithm  of  the  unique  generator  greater  than  1  of 
the  torsion  free  part  of  the  unit  group.) 

Proposition  5.6.9.  If  D  is  a  positive  fundamental  discriminant,  then 
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Ld{  1)  = 


2  h{D)R{D) 

Vd 


Note  that  as  in  the  imaginary  case,  these  results  are  special  cases  of  The¬ 
orem  4.9.12  using  the  identity  Ck-(s)  =  £( s)Ld(s )  for  K  =  Q(v^D)- 

Also,  as  in  the  imaginary  case,  it  is  not  very  reasonable  to  compute  Ld(1) 
directly  from  this  formula  since  its  defining  series  converges  so  slowly.  However, 
a  suitable  reordering  of  the  series  gives  the  following: 

Corollary  5.6.10.  If  D  is  a  positive  fundamental  discriminant,  then 

l(B-±)/2J  /n\ 

h(D)R(D)  =  -  Y,  (t)  lnsin  (lj)' 

r=l  x  7 


As  usual,  this  kind  of  formula,  although  a  finite  sum,  is  useless  from  a 
computational  point  of  view,  and  is  worse  than  the  method  of  reduced  forms, 
although  maybe  slightly  simpler  to  program.  If  we  also  use  the  functional 
equation  we  obtain  a  considerable  improvement,  leading  to  a  complicated  but 
much  more  efficient  formula: 


Proposition  5.6.11.  If  D  is  a  positive  fundamental  discriminant,  then 
2 h(D)R(D)  =  g  rfc  («/J)  +  E1 


where  erfc(a:)  is  the  complementary  error  function  (see  Fropositions  5.3.14 
and  5.3.15 ),  and  E\{x)  is  the  exponential  integral  function  defined  by 


Note  that  the  function  Ei(x)  can  be  computed  efficiently  using  the  fol¬ 
lowing  formulas. 


Proposition  5.6.12. 

(1)  We  have  for  all  x 


Ei(x)  =  -7  -  ln(a:)  +  y^(-l)*  1 

fc>i 


ar 


k\k 


where  7  =  0.57721566490153286...  is  Euler’s  constant,  and  this  should 
be  used  when  x  is  small,  say  x  <  4. 
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(2)  We  have  for  all  x  >  0 


/ 


\ 


Edx)  = 


5  X 


X 


1  - 


2  4-  x 


1-2 


4  +  x  — 


2-3 


\  6  4-  x  —  •  •  / 

and  should  be  used  for  x  large,  say  x  >  4. 


Implementation  Remark.  The  remark  made  after  Proposition  5.3.15  is  also 
valid  here,  the  general  formula  being  here 

2k{D)R(D)  =  g  +  *(^))  • 

These  results  show  that  the  series  given  in  Proposition  5.6.11  converges 
exponentially,  and  since  h(D)  is  an  integer  and  R{D)  has  been  computed 
beforehand,  it  is  clear  that  the  computation  time  of  h(D)  by  this  method  is 
0(D1/2+e)  for  any  e  >  0.  As  in  the  case  D  <  0  it  would  be  easy  to  give  an 
upper  bound  for  the  number  of  terms  that  one  must  take  in  the  series.  This 
is  left  as  an  exercise  for  the  reader.  See  also  Exercise  28  for  a  way  to  avoid 
computing  the  transcendental  functions  erfc  and  E\. 


5.6.3  A  Heuristic  Method  of  Shanks 

An  examination  of  the  heuristic  conjectures  of  [Coh-Lenl]  (see  Section  5.10) 
shows  that  one  must  expect  that,  on  average,  the  class  number  h{D)  will 
be  quite  small  for  positive  discriminants,  in  contrast  to  the  case  of  negative 
discriminants.  Hence,  one  can  use  the  following  method,  which  is  of  course  not 
an  algorithm,  but  has  a  very  good  chance  of  giving  the  correct  result  quite 
quickly. 

Heuristic  Algorithm  5.6.13  (Class  Number  for  D  >  0).  Given  a  positive 
fundamental  discriminant  D,  this  algorithm  computes  a  value  which  has  a  pretty 
good  chance  of  being  equal  to  the  class  number  h(D).  As  always,  we  assume  that 
the  regulator  R(D )  has  already  been  computed.  We  denote  by  Pi  the  ith  prime 
number. 

1.  [Regulator  small?]  If  R(D)  <  D1/4,  then  output  a  message  saying  that  the 
algorithm  will  probably  not  work,  and  terminate  the  algorithm. 

2.  [Initialize]  Set  hx  <-  y/D/(2R(D)),  h  <-  0,  c «-  0,  k  <-  0. 

3.  [Compute  block]  Set 
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hi 


^  n  f1 

500fc<i<500(Jfc+l)  \ 


-1 


m  <—  [/ill ,  k  <—  k  +  1. 

4.  [Seems  integral?]  If  \m  -  hi\  >  0.1  set  c  <—  0  and  go  to  step  3. 

5.  [Seems  constant?]  If  m  ^  h,  set  h  <—  m  and  c*~  1  and  go  to  step  3.  Otherwise, 
set  c  «—  c  +  1.  If  c  <  5  go  to  step  3,  otherwise  output  h  as  the  tentative  class 
number  and  terminate  the  algorithm. 


The  reason  for  the  frequent  success  of  this  algorithm  is  clear.  Although 
we  use  the  slowly  convergent  Euler  product  for  I>£>(  1),  if  the  regulator  is  not 
too  small,  the  integer  m  computed  in  step  3  has  a  reasonable  chance  of  being 
equal  to  the  class  number.  The  heuristic  criterion  that  we  use,  due  to  Shanks, 
is  that  if  the  Euler  product  is  less  than  0.1  away  from  the  same  integer  h 
for  6  consecutive  blocks  of  500  prime  numbers,  we  assume  that  h  is  the  class 
number.  In  fact,  assuming  GRH,  this  heuristic  method  can  be  made  completely 
rigorous.  I  refer  to  [Mol-Wil]  for  details.  In  practice  it  works  quite  well,  except 
of  course  for  the  quite  rare  cases  in  which  the  regulator  is  too  small. 

We  still  have  not  given  any  method  for  computing  the  structure  of  the 
class  group.  Before  considering  this  point,  we  now  consider  the  question  of 
computing  the  regulator  of  a  real  quadratic  field. 


5.7  computation  of  the  fundamental  Unit  and  of  the 
Regulator 

As  we  have  seen,  reduced  forms  are  grouped  into  h(D )  cycles  under  the  per¬ 
mutation  p.  We  will  see  that  one  can  define  a  distance  between  forms  which, 
in  particular,  has  the  property  that  the  length  of  each  cycle  is  the  same,  and 
equal  to  the  regulator.  Note  that  this  is  absolutely  not  true  for  the  naive 
length  defined  as  the  number  of  forms. 


5.7.1  Description  of  the  Algorithms 

The  action  of  p  and  p~l  corresponding  to  the  continued  fraction  expansion  of 
the  quadratic  irrationals  r  and  — cr(r)  respectively,  it  is  clear  that  we  must  be 
able  to  compute  the  fundamental  unit  and  the  regulator  from  these  expansions, 
from  Uorollary  5.6.7,  we  know  that  one  of  these  expansions  will  be  reverse  of 
the  other,  so  we  can  choose  as  we  like  between  the  two. 

It  is  slightly  simpler  to  use  the  expansion  of  —  cr(r),  and  this  leads  to  the 
following  algorithm  whose  validity  will  be  proved  in  the  next  section.  Note 
that  in  this  algorithm  we  assume  a  >  0,  but  it  is  easy  to  modify  it  so  that  it 
stays  valid  in  general  (Exercise  20). 
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Algorithm  5.7.1  (Fundamental  Unit  Using  Continued  Fractions).  Given 
a  quadratic  irrational  r  =  (—6  +  \/l))/(2a)  where  4a  |  (D  —  b 2)  and  a  >  0, 
corresponding  to  a  reduced  form  (a,b,  (b2  —  D)/(4a)),  this  algorithm  computes 
the  fundamental  unit  e  of  Q(y/D)  using  the  ordinary  continued  fraction  expansion 
of  — <t(t). 

1.  [Initialize]  Set  ui  < - b,  U2  *—  2a,  V\  <—  1,  V2  *—  0,  p  *—  b  and  q  <—  2a. 

Precompute  d  *—  [y/D\. 

2.  [Euclidean  step]  Set  A  *—  [(p  +  d)/q\,  then  in  that  order,  set  p  *—  Aq  —  p  and 
q  <—  (D  —  p2)/q.  Finally,  set  t  <—  Au2  +  u\,  u\  *—  u2,  u2  <—  t,  t  *-  Av2  4-  Vi, 
tq  ^2.  and  v2  <—  t- 

3.  [End  of  period?]  If  q  =  2a  and  p  =  b  (mod  2a),  set  u  *—  |it2/a|,  v  *—  \v2/a\ 
(both  divisions  being  exact),  output  e  *—  (u  +  vVD)/ 2,  and  terminate  the 
algorithm.  Otherwise,  go  to  step  2. 

As  will  be  proved  in  the  next  section,  the  result  of  this  algorithm  is  the 
fundamental  unit,  independently  of  the  initial  reduced  form.  Hence,  the  sim¬ 
plest  solution  is  to  start  with  the  unit  reduced  form,  i.e.  with  r  =  (—b+y/D) /2 
and  b  =  d  if  d  =  D  (mod  2),  b  =  d  —  1  otherwise,  where  as  in  the  algorithm 
d=[y/D\. 

Also,  note  that  the  form  corresponding  to  (p  +  y/D)/q  at  step  i  is 
((-iyq/2,p,(-lY(p2-D)/(2q)). 

If  we  had  wanted  the  exact  action  of  p-1,  we  would  have  to  put  q  *—  (p2—D)/q 
instead  of  q  *—  (D— p2)/q  in  step  2  of  the  algorithm,  and  then  q  would  alternate 
in  sign  instead  of  always  being  positive. 

Now  the  continued  fraction  expansion  of  the  quadratic  irrational  corre¬ 
sponding  to  the  unit  reduced  form  is  not  only  periodic,  but  in  fact  symmetric. 
This  is  true  more  generally  for  forms  belonging  to  ambiguous  cycles,  i.e.  forms 
whose  square  lie  in  the  principal  cycle  (see  Exercise  22).  Hence,  it  is  possible 
to  divide  by  two  the  number  of  iterations  in  Algorithm  5.7.1.  This  leads  to 
the  following  algorithm,  whose  proof  is  left  to  the  reader. 

Algorithm  5.7.2  (Fundamental  Unit).  Given  a  fundamental  discriminant 
D  >  0,  this  algorithm  computes  the  fundamental  unit  of  Q(y/D). 

1.  [Initialize]  Set  d  *—  [VD\.  If  d  =  D  (mod  2),  set  b  *—  d  otherwise  set  b  <— 

<2  —  1.  Then  set  u\  < - 6,  u2  *—  2,  v\  <—  1,  v2  *—  0,  p  <—  b  and  q  *—  2. 

2.  [Euclidean  step]  Set  A  *-  [(p  +  d)/q\,  t  <—  p  and  p  *—  Aq  -  p.  If  t  =  p  and 
v2  0,  then  go  to  step  4,  otherwise  set  t  *—  Au2  +  Wi,  u\  *—  u2,  u2  *—  t, 
t  *-  Av2  +  Vi,  vi  *-  v2,  and  v2  *-  t,  t  <—  q,  q  <-  (D  -  p2)/q. 

3.  [Odd  period?]  If  q  =  t  and  v2  ^  0,  set  u  *-  \(uiu2  +  Dviv2)/q\,  v  «- 
|(U]V2  +  u2vi)/q\  (both  divisions  being  exact),  output  e  *—  (u  +  vVD)/ 2  and 
terminate  the  algorithm.  Otherwise,  go  to  step  2. 
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4.  [Even  period]  Set  u  <—  | (1*2  4-u2.D)/g|,  v  |2ii2V2/g|  (both  divisions  being 
exact),  output  e  <—  (ti  4-  v\/D)f 2  and  terminate  the  algorithm. 

The  performance  of  both  these  algorithms  is  quite  reasonable  for  discrim¬ 
inants  up  to  106.  It  can  be  proved  that  the  number  of  steps  is  0(D1^2+e) 
for  all  e  >  0.  Furthermore,  all  the  computations  on  p  and  q  are  done  with 
numbers  less  than  2 y/D,  hence  of  reasonable  size.  The  main  problem  is  that 
the  fundamental  unit  itself  has  coefficients  u  and  v  which  are  of  unreasonable 
size.  One  can  show  that  lnu  and  lnv  can  be  as  large  as  y/D.  Hence,  although 
the  number  of  steps  is  0(D1^2+€),  this  does  not  correctly  reflect  the  practical 
execution  time,  since  multi-precision  operations  become  predominant.  In  fact, 
it  is  easy  to  see  that  the  only  bound  one  can  give  for  the  execution  time  itself 
is  0(D1+e). 

The  problem  is  therefore  not  so  much  in  computing  the  numbers  it  and  v, 
which  do  not  make  much  sense  when  they  are  so  large,  but  in  computing  the 
regulator  itself  to  some  reasonable  accuracy,  since  after  all,  this  is  all  we  need 
in  the  class  number  formula.  It  would  seem  that  it  is  not  possible  to  compute 
R{D)  without  computing  e  exactly,  but  luckily  this  is  not  the  case,  and  there 
is  a  variant  of  Algorithm  5.7.2  (or  5.7.1)  which  gives  the  regulator  instead  of 
the  fundamental  unit.  This  variant  uses  floating  point  numbers,  which  must  be 
computed  to  sufficient  accuracy  (but  not  unreasonably  so:  double  precision, 
i.e.  15  decimals,  is  plenty).  The  advantage  is  that  no  numbers  will  become 
large. 


5.7.2  Analysis  of  the  Continued  Fraction  Algorithm 

To  do  this,  we  must  analyze  the  behavior  of  the  continued  fraction  algorithm, 
and  along  the  way  we  will  prove  the  validity  of  Algorithm  5.7.1.  We  assume 
for  the  sake  of  simplicity  that  a  >  0  (hence  c  <  0),  although  the  same  analysis 
holds  in  general. 

Call  Pi,  qi,  Ai ,  ui,*,  tt2,i,  Vi t >2,i  the  quantities  occurring  in  step  i  of  the 
algorithm,  where  the  initializations  correspond  to  step  0,  and  set  for  i  >  —  1, 
ai  =  ui,t+i,  bi  =  Then  we  can  summarize  the  recursion  implicit  in  the 

algorithm  by  the  following  formulas: 

For  all  i  >  0,  Hi,*  =  a*_i,  ii2,i  =  ai,  v\ ,*  =  6*_i,  t>2,i  =  5*.  Furthermore: 

Po  =  b,  qo  =  2a,  a_i  =  —  6,  ao  =  2a,  6_i  =  1,  bo  =  0  (recall  that  a  =  1  in 
Algorithm  5.7.2),  and  for  i  >  0: 

Ai  =  [(pi  +  d)/qi\,  p*+ 1  =  Aiqi  p*,  qi+i  =  ( D  Pi+i)/(Zi>  ai+ 1  = 

A*a*  +  a*_i,  6*4-1  =  A*6*  +  6*_i. 

By  the  choice  of  6,  we  know  that  go  I  D— Po>  and  if  by  induction  we  assume 
that  all  the  above  quantities  are  integers  and  that  g*  |  D  —  p2,  one  sees  that 
D  —  p2+1  =  D  —  p2  =0  (mod  qi),  hence  g^i  is  an  integer.  In  addition,  we 
clearly  have  g*4-i  |  D  —  p2+i  since  the  quotient  is  simply  g*,  thus  proving  our 
claim  by  induction.  We  also  have  g*4-i  —  g*_i  =  ( D  —  p2+1)/qi  —  (JD  — p2)/g*  = 
(Pi  ~  Pi+i)(Pt  +Pi+i)/qi,  hence  we  obtain  the  formula 


272 


5  Algorithms  for  Quadratic  Fields 


Qi+l  —  Qi—l  ■^■i{Pi+ 1  Pi) ) 


which  is  in  general  computationally  simpler  than  the  formula  used  in  the 
algorithms. 

That  the  algorithms  above  correspond  to  the  continued  fraction  expansion 
of  (b+y/D)  / (2a)  (where  in  Algorithm  5.7.2  it  is  understood  that  we  take  a  =  1) 
is  quite  clear.  Set  Ci  =  ( pi  +  y/D)fqi.  Then  we  have  Co  =  (b  +  y/D)/(2a), 
Ai  =  [CiJ ,  and  hence 

1  _ _ <7i _ _  Ajqj  —pj  +  VD  _ 

C i  ~  LOJ  Pi  -  Aiqi  +  y/D  (D-  (A^  -  Pi)2)/qi  1+1  ’ 
thus  giving  the  above  formulas. 

This  is  of  course  nothing  other  than  the  translation  of  the  formula  giving 

V>fq(p_1(/))  in  terms  of  ^FQ(f)- 

Note  that  in  practice  the  computations  on  the  pair  ( p ,  q)  should  be  done 
in  the  following  way:  use  three  extra  variables  r  and  pi,  q\.  Replace  steps  1 
and  2  of  Algorithm  5.7.2  by 

1'.  [Initialize]  Set  d  <—  [y/D\.  If  d  =  D  (mod  2),  set  b  *—  d  otherwise  set  b  *— 

d  —  1.  Then  set  u\  < - b,  U2  *—  2,  v\  <—  1,  t>2  *—  0,  p  *—  b  and  q  <—  2, 

qi  <-  (D-p2)/q. 

2'.  [Euclidean  step]  Let  p  +  d  =  qA  +  r  with  0  <  r  <  q  be  the  Euclidean  division 
of  p  +  d  by  q,  and  set  p\  <—  p,  p  <—  d  —  r.  If  pi  =  p  and  V2  ^  0,  then  go  to 
step  4,  otherwise  set  t  <—  AU2  +  U1,  u\  <—  U2,  U2  <—  t,  t  *—  Av 2  +  ^1,  v\  V2, 
and  V2<-t,  t*-q,  q*-qi-  A(p  -p\),qi<r-t. 

This  has  the  same  effect  as  steps  1  and  2  of  Algorithm  5.7.2,  but  avoids 
one  division  in  each  loop.  Note  that  this  method  can  also  be  used  in  general. 

Now  that  we  have  seen  that  we  are  computing  the  continued  fraction 
expansion  of  (b  +  \/D)  /  (2a) ,  we  must  study  the  behavior  of  the  sequences  ai 
and  bi.  This  is  summarized  in  the  following  proposition. 

Proposition  5.7.3.  With  the  above  notations,  we  have 


(1) 

ai+ 1  +  bi+iy/T)  __  Pi+i  +  y[T) 

CLi  4“  bi's/T)  Qi 

(2) 

(Libi—i  CL^ —  \  b<i  =  (  l)  2(2  , 

(3) 

a?  -  b]D  =  (— l)*2a«i , 

a*ai_i  —  bibi-iD  =  (—1)*  12api , 


(4) 
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(5) 

y-p  _  ajCi  +  dj-i 

biCi  +  ’ 

where  as  before  (i  =  (; pi  +  yfD)  jq^. 


Proof.  Denote  real  conjugation  y/D  —y/D  in  the  field  Q(y/D)  by  a,  and 
set  pi  =  ( Pi  +  y/D)/qi-i.  Then  pi+1  =  Ai~ cr(^)  and  since  Ci+i  =  1/(C i  ~  Ap 
we  have  by  applying  cr, 

cr(Ci+i)  =  l/(<r(Ci)-Ai)  =  -l/pi+i- 

Therefore  pi+i  =  Ai~a(Ci)  =  Ai  +  l/pi.  On  the  other  hand,  to  be  compatible 
with  the  recursions,  we  must  define  </_i  =  (D  —  b2)/(2a).  Thus  we  see  that 
po  =  2 a/ (y/D  —  b)  (which  comes  also  from  the  formula  pi  =  — 1  /<7(Ci))-  If  we 
set  ai  —  ai+biy/D,  the  recursions  show  that  oti+ 1  =  Ai&i  +  ai-\.  Therefore  if 
we  set  Pi  =  oii/oci-i,  we  have  /%+ 1  =  Ai  +  l/pi,  and  this  is  the  same  recursion 
satisfied  by  pi.  Since  we  have  Po  =  2 a /(y/D  —  b)=po,  this  shows  that  Pi  =  pi 
for  all  i,  thus  showing  (1). 

Formula  (2)  is  a  standard  formula  in  continued  fraction  expansions:  we 
have  the  matrix  recursion 

l  ^i+1  A  _  f  Ai  1 A  f  fti  bi  \ 

v  a*  bi  )  —  ^  1  0 )\ai-i  bi-i )' 

hence  formula  (2)  follows  trivially  on  taking  determinants  and  noticing  that 
aob— i  —  a_i&o  =  2d. 

To  prove  (3),  we  take  the  norm  (with  respect  to  Q(\/D) /Q)  of  formula 
(1).  We  obtain: 

a-+i  ~  bf+1D  p?+1  -D  qi+i 
ai  ~  b\D  q?  qi 

hence  by  multiplying  out  we  obtain 

ai  ~  biD  =  (-1)^— — —  =  (-lY2aqi, 

Qo 

showing  (3). 

Finally,  to  prove  (4)  we  take  the  trace  (with  respect  to  Q(VD)/Q)  of 
formula  (1).  We  obtain: 


Qi+i  +  6j+  iV~D  fli+i  —  bi+iy/~D  _  2pi-|_i 

ai  +  biy/D  ai~  bi  y/D  qi 

hence  grouping  and  using  (3)  we  get 

2di+idi  2bi+\biD _  2/?i+i 

(-iy2aqi  qi 
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and  this  proves  (4). 

Formula  (5)  follows  easily  from  (1)  and  its  proof  is  left  to  the  reader.  □ 

Corollary  5.7.4.  Set  c  =  (b2  —  D)/( 4a),  so  D  =  b2  —  4 ac.  Define  two  se¬ 
quences  Ci  and  di  by  c_i  =  0,  cq  =  1,  Cj+i  =  AjCj  +  c*_ i,  and  d- i  =  —2c, 
do  =  b  and  di+ 1  =  Aidi  4-  di- 1.  Then  the  five  formulas  of  Proposition  5.7.3 
hold  with  ( a,ai,bi )  replaced  by  (c,  di,c*). 

The  proof  is  easy  and  left  to  the  reader. 

Now  for  simplicity  let  us  consider  the  case  of  Algorithm  5.7.1.  Let  i  =  k 
be  the  stage  at  which  we  stop,  i.e.  for  which  qk  =  2a  and  pk  =  b  (mod  2a). 
Then  we  output  e  =  (\ak\  4-  \bk\y/D)/\2a\.  We  are  going  to  show  that  this  is 
indeed  the  correct  result.  First,  I  claim  that  e  is  a  unit.  Indeed,  notice  that 
using  (3),  the  norm  of  e  is  equal  to  (— l)fc.  Hence,  to  show  that  e  is  a  unit,  it 
is  only  necessary  to  show  that  it  is  an  algebraic  integer.  Moreover,  since  its 
norm  is  equal  to  ±1,  hence  integral,  we  must  only  show  that  the  trace  of  e  is 
integral,  i.e.  that  a*,  =  0  (mod  a). 

For  this,  we  use  the  sequence  c*  defined  in  Corollary  5.7.4.  It  is  clear  that 
we  have  a*  =  2 acj  —bbi.  From  Proposition  5.7.3  (3)  an  easy  computation  gives 

h(cbk  ~  bck )  =  a((_1)fc|^  -  cl)  =  0  (mod  a), 

since  qk  =  2a.  Similarly,  since  pk  =  b  (mod  2a),  from  (4)  a  similar  computa¬ 
tion  gives 


bk{cbk-i  —  bck- 1)  =  a  ^(-l)fe  1~2a  k  ~  ckck- =  0  (mod  a). 


If  we  set  Si  =  cbi  —  bci,  it  is  clear  by  induction  that 


gcd(<5fc,<5fc-i)  =  gcd(<5fc-i,<5fc-2)  =  •••  =  gcd((5o,<5_i)  =  gcd(6,  c). 

From  the  two  congruences  proved  above  and  the  existence  of  it  and  v  such 
that  uSk  +  vSk-i  =  gcd(6,c),  it  follows  that 

bk  gcd(6,  c)  =  0  (mod  a). 

But  since  D  is  a  fundamental  discriminant,  the  quadratic  form  ( a,b,c )  is 
primitive,  hence  gcd(a,  6, c)  =  1  =  gcd(gcd(6,  c),a),  so  we  obtain  6^  =  0 
(mod  a),  hence  also  ak  =  2 ack  —  bbk  =  0  (mod  a)  as  was  to  be  shown. 

Now  that  we  know  that  £  is  a  unit,  we  will  show  it  is  the  fundamental  unit. 
Since  clearly  e  >  1,  this  will  follow  from  the  following  more  general  result.  We 
say  that  an  algebraic  integer  a  is  primitive  if  for  any  integer  n,  ajn  is  an 
algebraic  integer  only  for  n  =  ±1.  Then  we  have: 

Proposition  5.7.5.  Let  us  keep  all  the  above  notations.  Let  N  >  1  be  a 
squarefree  integer  such  that  gcd (a,  AT)  =  1.  Assume  that  2|a|JV  <  y/D. 
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Then  the  solutions  (A,  B )  of  the  Diophantine  equation 

A2  —  B2D  =  ±4 N,  with  A  >  0,  B  >  0  and  ^  primitive 

£ 

are  given  by  (A,  JB)  =  (|an/a|,  |6n/a|),  for  every  n  such  that  qn  =  2\a\N  and 
pn=  b  (mod  2a) . 


Proof.  We  have  proven  above  that  e  was  an  algebraic  integer  using  only  qk  =  0 
(mod  2a)  and  not  precisely  the  value  qk  =  2a.  This  shows  that  if  the  conditions 
of  Proposition  5.7.5  are  satisfied,  we  will  have  a  |  an  and  a  |  bn,  and  since 
by  Proposition  5.7.3  (3)  we  have  a2  —  b2Z)  =  ±2 aqn  =  ±4a2N,  the  pair 
(A,B)  =  (|an/a|,  |6n/a|)  is  indeed  a  solution  to  our  Diophantine  equation 
with  A  >  0,  B  >  0,  and  since  Af((an  +  bny/D)/(2a ))  =  ±N  and  that  N  is 
squarefree,  (A  +  By/D)/ 2  is  primitive. 

We  must  now  show  the  converse.  Assume  that  A2  —  B2D  =  4 sN  with 
s  =  ±1.  Let  r'  =—  a (t)  =  (b+y/D)/(2a)  as  in  Algorithm  5.7.1.  Then  an  easy 
calculation  gives 


.  A+6JB 

4  N 

2  aB 

2aB2\y/D+A/B\ 

Now,  A/B  =  y/D  ±  4 N/B2  >  >/D-4AT/S2,  hence 

r/  (A+  bB)/2  < _ 4 N _ 

T  aB  ~  2\a\B2(VD  +  y/D-  4N/B2) ' 

We  also  have  the  following  lemma  whose  proof  is  left  to  the  reader.  (See  [H-W] 
for  a  slightly  weaker  version,  but  the  proof  is  the  same,  see  Exercise  21.) 


Lemma  5.7.6.  If  p  and  q  are  integers  such  that 


< 


1 

<7(max(2g  —  1, 2)) 


thenp/q  is  a  convergent  in  the  continued  fraction  expansion  ofr'. 


Consider  first  the  case  \a\  >  1.  One  easily  checks  that  4 a2N2  —  AN/B2  > 
(2|a|iV  —  2 N/B)2  is  equivalent  to  2\a\BN  >  N  +  1  which  is  clearly  true. 
Hence,  since  \J~D  >  2|a|JV,  we  have  y/D  +  y/D  —  &N/B2  >  4|a|jV—  2N/B  and 
therefore 

t  (A  +  bB)/2  ^  1 

T  aB  <  |a|J5(2|a|JB  —  1) 

Since  b  =  D  (mod  2)  and  A  =  BD  (mod  2),  (A  +  bB)/2  is  an  integer,  and 
so  we  can  apply  the  lemma.  This  shows  that  -1S  a  convergent  to 
r1.  A  similar  proof  applies  to  the  case  |a|  =  1,  except  when  B  =  1.  But  in 
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the  case  \a\  =  B  =  1,  we  have  D  —  2 y/D  <  A2  <  D  +  2 yfD  hence  either 
y/T)—  1  <  A  <  y/D  +  1,  and  hence  |r'  —  (A  +  6)/2|  <1/2  and  we  can  conclude 
as  before  that  (A+  b) /2  is  a  convergent,  or  else  D  —  2 \[D  <  A2  <  D—2y/D  + 1 
which  implies  that  r'  —  1  <  (b  +  A)/2  <  t1  hence  (6  +  A)/ 2  =  [r'J  is  also  a 
convergent  to  r'. 

By  definition,  the  convergents  to  r'  are  Cn/bn,  and  the  equation  ( A  + 
bB)/(2aB)  =  Cnfbn  is  equivalent  to  AjB  =  an/bn. 

Now  we  have  the  following  lemma: 

Lemma  5.7.7.  We  have  for  all  i, 

f  Pi -b  qi  \ 

\  2  ’2’ 


and 

&i  +  bi  V  D 

2(£>i,  (i) 

is  a  primitive  algebraic  integer. 

Proof.  We  know  that 

bi{cbi-bci)  =  (-l)l<^-ac2i  and  6i(cbi-i-bci-i)  =  (-l)i-lPt2  **  -aCiCi- 1 

hence  as  above  6^(6,  c)  =  0  (mod  ((p^  —  6)/2,<ft/2,a)),  and  since  (a,  6,c)  =  1, 
we  obtain  (( pi  —  6)/2,^/2,  a)  \  ( b{,a ).  Conversely,  the  same  relations  show 
immediately  that  ( bi}a )  |  ((pi  —  6)/2,^/2,a),  thus  giving  the  first  formula  of 
the  lemma.  For  the  second,  we  note  that  a*  =  2aCj  —  66*,  hence  (bi,  a)  |  a^,  and 
since  by  Proposition  5.7.3  (3)  a?  —  b?D  =  (—1)^2 aqi,  we  see  that  4 (bi,  a)2  | 
a2  —  b2D  since  we  have  proved  that  (bi,a)  |  qi/2,  and  these  two  divisibility 
conditions  show  that  a  =  (a*  +  bi\fD)/(2(bi,a))  is  an  algebraic  integer. 

Let  us  show  that  it  is  primitive.  Note  first  that  since  ai  =  2 aci  —  bbi 
and  (ci,bi)  =  1,  we  have  ( ai,bi )  =  (bi,2a).  This  shows  that  if  we  write  a  = 
(A'  +  B'y/D)/ 2,  we  have  (A',B')  =  (bi,2a)/(bi,a)  and  therefore  (A',B')  \  2.  If 
D  =  1  (mod  4),  it  can  easily  be  seen  that  this  is  the  only  required  condition 
for  primitivity.  If  D  =  0  (mod  4),  we  must  show  that  A '  is  even  and  that 
(A'/2,  B')  =  1.  In  this  case  however,  b  =  D  =  0  (mod  2),  hence  a*/ 2  = 
aci  —  (b/2)bi  showing  that  A'  —  ai/(bi,a)  is  even,  and  (ai/2,bi)  =  (a,bi)  so 
(A! 1 2,  B')  =  1  as  was  to  be  shown.  □ 

Now  that  we  have  this  lemma,  we  can  finish  the  proof  of  Proposition  5.7.5. 
We  have  shown  that  A/B  =  an/bn,  and  since  (A  +  B\fD)/2  was  assumed 
primitive,  we  obtain  from  the  lemma  the  equalities  A  =  |an|/(6n,a),  B  = 
\bn\/(bn,  a,).  Plugging  this  in  the  Diophantine  equation  gives,  using  Proposition 
5.7.3  (3),  ±4 N  =  2 aqn/(bn,a)2  or  in  other  words  since  it  is  clear  by  induction 
that  aqi  >  0  for  all  i: 


5.7  Computation  of  the  Fundamental  Unit  and  of  the  Regulator 


277 


jy  _  a  Qn/2 

(bm  oi)  (&m  ®) 

Since  we  have  assumed  (AT,  a)  =  1,  it  follows  that  a/(bn,a )  =  ±1,  so  that 
a  |  bn,  hence  also  a  |  an,  and  hence  qn  =  2 aN,  thus  finishing  the  proof  of 
Proposition  5.7.5.  □ 

Although  we  have  proved  a  lot,  we  are  still  not  finished.  We  need  to  show 
that  we  do  indeed  obtain  the  fundamental  unit  and  not  a  power  of  it  for 
every  reduced  (a,  b,  c),  and  not  simply  for  2|a|  <  y/D.  To  do  this,  it  would 
be  necessary  to  relax  the  condition  2|a|iV  <  y/D  to  |a| N  <  y/D  for  instance, 
but  this  is  false  as  can  easily  be  seen  (take  for  example  D  =  136,  (a,  6,  c)  = 
(5, 6, —5)  and  N  =  2.  This  is  only  a  random  example).  In  the  special  case 
N  =  1  however,  which  is  the  case  we  are  most  interested  in,  we  can  prove  our 
claim  by  using  the  symmetry  between  a  and  c,  i.e.  by  also  using  Corollary 
5.7.4.  First,  we  note  the  proposition  which  is  symmetric  to  Proposition  5.7.5. 

Proposition  5.7.8.  Let  us  keep  all  the  above  notations,  and,  in  particu¬ 
lar,  those  of  Corollary  5.7.4 ■  Let  N  >  1  be  a  squarefree  integer  such  that 
gcd (c,N)  =  1  and  2\c\N  <  y/D. 

Then  the  solutions  (A,  B)  of  the  Diophantine  equation 

A2  —  B2D  =  ±4 N,  with  A  >  0,  B  >  0  and  ^  primitive 

are  given  by  ( A,B )  =  (|dn/c|,  \cn/c\),  for  every  n  such  that  qn  =  2|c| AT  and 
pn  =  —b  (mod  2c). 

The  proof  is  identical  to  that  of  Proposition  5.7.5,  but  uses  the  formulas 
of  Corollary  5.7.4  instead  of  those  of  Proposition  5.7.3.  □ 

Now  we  can  prove: 

Proposition  5.7.9.  The  conclusion  of  Proposition  5.7.5  is  valid  for  N  =  1, 
with  the  only  needed  condition  being  that  (a,  b,  c)  is  a  reduced  quadratic  form. 

Proof.  If  |a|  <  y/D/ 2,  then  the  result  follows  from  Proposition  5.7.5.  Assume 
now  |a|  >  y/D/ 2.  By  Proposition  5.6.3  (2),  we  have  |c|  <  y/D/ 2,  hence  we  can 
apply  Proposition  5.7.8.  We  obtain  (A,  B)  =  (|dn/c|,  |cn/c|)  for  an  n  such  that 
pn  =  —b  (mod  2c)  and  qn  =  2|c|.  This  implies  that  Pn+i  =  Anqn  —  pn  =_b 
(mod  2c)  and  furthermore,  by  definition  of  An,  that  y/D  — 2|c|  <  pn+i  <  VD. 
Hence,  since  |c|  <  y/D/ 2  and  (a,  6,  c)  is  reduced,  we  have  pn+i  =  b,  so  qn+ i  = 
2|a|.  Now  from  Proposition  5.7.3  and  Corollary  5.7.4,  we  obtain  immediately 
that 

dn+ 1  +  cn+iv^  _  dn  +  cny/D 
an+i  +  bn+i\/D  an  +  bny/D  ’ 
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hence  by  induction 

dn  +  cn\/D  _  b  +  y/D 
an  +  bny/D  2  a 

and  from  this,  Proposition  5.7.3  (1),  Lemma  5.7.7  and  its  analog  for  c  instead 
of  a,  we  obtain  the  identities  |an+i/a|  =  |d„/c|  and  |6n+i/a|  =  \cn/c\,  proving 
the  proposition.  □ 


5.7.3  Computation  of  the  regulator 

We  have  already  mentioned  that  the  fundamental  unit  e  itself  can  involve 
huge  coefficients,  and  that  what  one  usually  needs  is  only  the  regulator  to  a 
reasonable  degree  of  accuracy.  Note  first  that  for  all  i  >  1,  we  have  on /hi  >  0. 
This  is  an  amusing  exercise  left  to  the  reader  (hint:  consider  separately  the 
four  cases  a  >  0  and  a  <  0,  and  2|a|  <  \/D,  2|aj  >  y/D).  Hence  we  have 


R(D )  =  lne  =  In 


|qfc  +  bkVD  | 
|2a| 


( \ai+l  + 

la.+  b^l  )' 


so  by  Proposition  5.7.3, 


fc-i 


2  =  0 


Pi+l  +  VD 

Iftl 


Pi  +  y/p\ 

i <n\  y 


since  =  qo  =  2a,  and  since  the  pi  and  |^|  are  always  small  (less  than 
2y/D),  this  enables  us  to  compute  the  regulator  to  any  given  accuracy  without 
handling  huge  numbers.  The  computation  of  a  logarithm  is  a  time  consuming 
operation  however,  and  hence  it  is  preferable  to  write 


St)' 

the  product  being  computed  to  a  given  numerical  accuracy.  In  most  cases, 
this  method  will  again  not  work,  because  the  exponents  of  the  floating  point 
numbers  become  too  large.  The  trick  is  to  keep  the  exponent  in  a  separate 
variable  which  is  updated  either  at  each  multiplication,  or  as  soon  as  there 
is  the  risk  of  having  an  exponent  overflow  in  the  multiplication.  Note  that 
we  have  the  trivial  inequality  ( pi  +  y/D)/\qi\  <  y/D,  hence  exponent  overflow 
can  easily  be  checked.  This  leads  to  the  following  algorithm,  analogous  to 
Algorithm  5.7.1. 


Algorithm  5.7.10  (Regulator), 
where  4a  |  (D  —  b2)  and  a  >  0, 


Given  a  quadratic  irrational  r=  — ^ 
corresponding  to  a  reduced  form  (a,  b,  (62  — 


5.8  The  Infrastructure  Method  of  Shanks 
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D)/{ 4a)) p  this  algorithm  computes  the  regulator  R(D)  of  Q(y/D)  using  the  or¬ 
dinary  continued  fraction  expansion  of 

1.  [Initialize]  Precompute  /  «—  yfD  to  the  desired  accuracy,  and  set  d  *—  [f\, 
e  <—  0,  R  <—  1,  p  <—  b,  q  <—  2a,  and  q\  <—  (D  —  p2)/q ■  Finally,  let  2L  be  the 
highest  power  of  2  such  that  2 L  f  does  not  give  an  exponent  overflow. 

2.  [Euclidean  step]  Let  p  +  d  =  qA  +  r  with  0  <  r  <  Iqj  be  the  Euclidean  division 
of  p  +  d  by  q,  and  set  pi  <-  p,  p  <-  d  -  r,  t «-  q,  q  «-  q\  -  A(p  -pi),qi*-t 
and  R  <—  R(p  +  f)/q.  If  R  >  2L,  set  R  <—  R/2L,  e  <—  e  +  1. 

3.  [End  of  period?]  If  q  =  2a  and  p  =  b  (mod  2a),  output  R(D)  <—  In  i?+eL  In  2 
and  terminate  the  algorithm.  Otherwise,  go  to  step  2. 

In  the  case  where  we  start  with  the  unit  form,  we  can  use  the  symmetry 
of  the  period  to  obtain  an  algorithm  similar  to  Algorithm  5.7.2.  We  leave  this 
as  an  exercise  for  the  reader  (Exercise  23).  We  can  also  modify  the  algorithm 
so  that  it  works  for  reduced  forms  with  a  <  0. 

The  running  time  of  this  algorithm  is  0(Z)1//2+e)  for  all  e  >  0,  but  here  this 
corresponds  to  the  actual  behavior  since  no  multi-precision  variables  are  being 
used.  Although  this  is  reasonable,  we  will  now  see  that  we  can  adapt  Shanks’s 
baby-step  giant-step  method  to  obtain  a  0(D1/4+e)  algorithm,  bringing  down 
the  computation  time  to  one  similar  to  the  case  of  imaginary  quadratic  fields. 

Remark.  If  the  regulator  is  computed  to  sufficient  accuracy  and  is  not  too 
large,  we  can  recover  the  fundamental  unit  by  exponentiating.  It  is  clear  that 
it  is  impossible  to  find  a  sub-exponential  algorithm  for  the  fundamental  unit 
in  general,  since,  except  when  the  regulator  is  very  small,  it  already  takes 
exponential  time  just  to  print  it  in  the  form  e  =  a  +  by/D.  It  is  possible  how¬ 
ever  to  write  down  explicitly  the  fundamental  unit  itself  if  we  use  a  different 
representation,  which  H.  Williams  calls  a  compact  representation.  We  will  see 
in  Section  5.8.3  how  this  is  achieved. 
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5.8.1  The  Distance  Function 

The  fundamental  new  idea  introduced  by  Shanks  in  the  theory  of  real 
quadratic  fields  is  that  one  can  introduce  a  distance  function  between  quadratic 
forms  or  between  ideals,  and  that  this  function  will  enable  us  to  consider  the 
principal  cycle  pretty  much  like  a  cyclic  group.  The  initial  theory  is  explained 
in  [Sha3],  and  the  refined  theory  which  we  will  now  explain  can  be  found  in 
[Lenl]. 

Definition  5.8.1.  Let  O  be  the  quadratic  order  of  discriminant  D,  and  denote 
as  usual  by  a  real  conjugation  in  O.  If  a  and  b  are  fractional  ideals  of  O,  we 
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define  the  distance  of  a  to  b  as  follows.  If  a  and  b  are  not  equivalent  ( modulo 
principal  ideals),  the  distance  is  not  defined.  Otherwise,  write 


b  =ya 

for  some  7  £  K.  We  define  the  distance  <5(a,  b)  by  the  formula 


*(«,  6)  =  ^  In 


7 


<?(  7) 


where  6  is  considered  to  be  defined  only  modulo  the  regulator  R  (i.e.  6  £ 


Note  that  this  distance  is  well  defined  (modulo  R)  since  if  we  take  another 
7'  such  that  b  =  y'a,  then  7'  =  ey  where  e  is  a  unit,  hence  the  distance  does 
not  change  modulo  R.  Note  also  that  if  a  is  multiplied  by  a  rational  number, 
its  distance  to  any  other  ideal  does  not  change,  hence  in  fact  this  distance 
carries  over  to  the  set  I  of  ideal  classes  defined  in  Section  5.2.  This  remark 
will  be  important  later  on. 

In  a  similar  manner,  we  can  define  the  distance  between  two  quadratic 
forms  of  positive  discriminant  D  as  follows. 

Definition  5.8.2.  Let  f  and  g  be  two  quadratic  forms  of  discriminant  D, 
and  set  (a,s)  =  <f>Fi{f),  (b,t)  =  <f>Fi{9)  as  in  Section  5.2,  where  s,t  =  ±1.  If 
f  and  g  are  not  equivalent  modulo  PSL2(Z),  the  distance  is  not  defined.  If  f 
and  g  are  equivalent,  then  by  Theorem  5.2.9  there  exists  7  £  K  such  that 

b  =ya  and  t  =  s  •  sign(A/’(7)) . 

We  then  define  as  above 

,P)  =  ^ln 

where  6  is  now  considered  to  be  defined  modulo  the  regulator  in  the  narrow 
sense  R+ ,  i.e.  the  logarithm  of  the  smallest  unit  greater  than  1  which  is  of 
positive  norm. 

Note  once  again  that  this  distance  is  well  defined,  but  this  time  modulo 
R+ ,  since  if  we  take  another  7'  we  must  have  7'  =  ey  with  e  a  unit  of  positive 
norm.  By  abuse  of  notation,  we  will  again  denote  by  6(f,  g)  the  unique  repres¬ 
entative  belonging  to  the  interval  [0,jR+[,  and  similarly  for  the  distance  bet¬ 
ween  ideals. 

Ideals  are  usually  given  by  a  Z-basis,  hence  it  is  not  easy  to  show  that 
they  are  equivalent  or  not.  Even  if  one  knows  for  some  reason  that  they  are,  it 
is  still  not  easy  to  find  a  7  £  K  sending  one  into  the  other.  In  other  words,  it 
is  not  easy  to  compute  the  distance  of  two  ideals  (or  of  two  quadratic  forms) 
directly  from  the  definition. 
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Luckily,  we  can  bypass  this  problem  in  practice  for  the  following  reason. 
The  quadratic  forms  which  we  will  consider  will  almost  always  be  obtained 
either  by  reduction  of  other  quadratic  forms  (using  the  reduction  step  p  a 
number  of  times),  or  by  composition  of  quadratic  forms.  Hence,  it  suffices  to 
give  transformation  formulas  for  the  distance  6  under  these  two  operations. 

Composition  is  especially  simple  if  one  remembers  that  it  corresponds  to 
ideal  multiplication.  If,  for  k  =  1,2,  we  have  bk  =  7&afc,  then  bib2  =  7i72aia2. 
This  means  that  (before  any  reduction  step),  the  distance  function  6  is  exactly 
additive 

<5(bib2,aia2)  =  <5(bi,ai)  +  <5(b2,a2) 

when  all  distances  are  defined.  This  is  true  for  the  distance  function  on  ideals 
as  well  as  for  the  distance  function  between  quadratic  forms  since  6  does  not 
change  when  one  multiplies  an  ideal  with  a  rational  number. 

In  the  case  of  reduction,  it  is  easier  to  work  with  quadratic  forms.  Let 
/  =  (a,  b,  c )  be  a  quadratic  form  of  discriminant  D.  Then 

<t>Fi(f)  =  {a%  +  — sign(a)j . 


Furthermore,  p(f)  =  ( c,b',a ')  where  bf  =  —b  (mod  2c),  hence 
<t>Fi(p(f))  =  (  cZ  +  b  +^Z,  sign(c) ) , 


since  changing  b'  modulo  2c  does  not  change  the  ideal.  Now  clearly 


b  +  VD  (  -b  +  VD  ^ 

cZ  H — — Z  =7  aZ+ Z 


where 


7  = 


b  +  VD 
2a 


Hence  we  obtain 

Proposition  5.8.3. 

then 


If  f  =  (a,  b,  c)  is  a  quadratic  form  of  discriminant  D, 


«(/»P(/))=2ln 


b  +  VD 


b-VD 


Of  course,  the  map  <fip  of  Section  5.2  enables  us  also  to  compute  distances 
between  ideals. 

If  we  have  two  quadratic  forms  /  and  g  such  that  g  =  pn(f)  for  n  not  too 
large,  then  by  using  the  formula 
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i=l 

and  this  proposition,  we  can  compute  the  distance  of  /  and  g.  When  n  is  large 
however,  this  formula,  which  takes  time  at  least  O(n),  becomes  impractical. 
This  is  where  we  need  to  use  composition. 

For  simplicity,  we  now  assume  that  our  forms  are  in  the  principal  cycle, 
i.e.  are  equivalent  to  the  unit  form  which  we  denote  by  1.  We  then  have  the 
following  proposition 

Proposition  5.8.4.  Let  fi  and  /2  be  two  reduced  forms  in  the  principal  cycle, 
and  let  1  be  the  unit  form.  Then  if  we  define  g  =  f\  •  f 2  by  the  composition 
algorithm  given  in  Section  5-4-2,  g  may  not  be  reduced,  but  let  fz  be  a  (non¬ 
unique)  form  obtained  from  g  by  the  reduction  algorithm,  i.e.  by  successive 
applications  of  p.  Then  we  have 

S(l,h)=6(l,f1)  +  6(1,  h)  +  6(g,  h), 

and  furthermore 

<  2 In (D). 

This  proposition  follows  at  once  from  the  property  that  6  is  exactly  addi¬ 
tive  under  composition  (before  any  reductions  are  made).  □ 

If  we  assume  that  we  know  6(1,  fi)  and  <5(1,  /2),  then  it  is  easy  to  compute 
<5(1,  fz)  since  the  number  of  reduction  steps  needed  to  go  from  g  to  fz  is  very 
small.  More  precisely,  it  can  be  proved  (see  [Lenl])  that  <5(/,  p2(f))  >  In 2, 
hence  the  number  of  reduction  steps  is  at  most  41n(D)/ln2. 

Important  Remark.  In  the  preceding  section  we  have  computed  the  regula¬ 
tor  by  adding  ln((Pi+VD)/\qi\)  over  a  cycle  (or  a  half  cycle).  This  corresponds 
to  choosing  a  modified  distance  such  that  6'(f,p(f))  =  ln((6  +  \/J9)/(2|a|)), 
and  this  clearly  corresponds  to  defining 

<5'(a,  b)  =  ln|7| 

instead  of  <5(a,  b)  =  \  In  |'y/cx('y) |  if  b  =  7a.  This  distance,  which  was  the  initial 
one  suggested  by  Shanks,  can  also  be  used  for  regulator  computations  since 
it  is  also  additive.  Note  however  that  it  is  no  longer  defined  on  the  set  I  of 
ideals  modulo  the  multiplicative  action  of  Q*,  but  on  the  ideals  themselves.  In 
particular,  with  reference  to  Lemma  5.4.5,  we  must  subtract  \n(d)  to  the  sum 
of  the  distances  of  I\  and  I2  before  starting  the  reduction  of  our  composed 
quadratic  form  (A,  B,C).  It  also  introduces  extra  factors  when  one  computes 
the  inverse  of  a  form.  For  example,  this  would  introduce  many  unnecessary 
complications  in  Buchmann’s  sub-exponential  algorithm  that  we  will  study 
below  (Section  5.9). 
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On  the  other  hand,  although  Shanks’s  distance  is  less  natural,  it  is  com¬ 
putationally  slightly  better  since  it  is  simpler  to  multiply  by  ( b  +  y/D)/(2\a\) 
than  by  |(6+  y/D)/(b  —  y/D)\.  Note  also  that  Proposition  5.8.4  is  valid  with 
6  replaced  by  <5',  if  we  take  care  to  subtract  the  In (d)  value  after  composition 
as  we  have  just  explained. 

Hence,  for  simplicity,  we  will  use  the  distance  8  instead  of  Shanks’s  8 ', 
except  in  the  baby-step  giant-step  Algorithm  5.8.5  where  the  use  of  8'  gives  a 
slightly  more  efficient  algorithm. 


5.8.2  Description  of  the  Algorithm 

We  consider  the  set  S  of  pairs  (/,  z),  where  /  is  a  reduced  form  of  discriminant 
D  in  the  principal  cycle,  and  z  =  6(1,  /).  We  can  transfer  the  action  of  p  to  S 
by  setting  p(f,  z)=(p(f),  z  +  In  \(b  +  VD)/(b  -  y/D)  |/2)  if  /  =  (a,  6,  c),  using 
the  above  notations.  Furthermore,  we  can  transfer  the  composition  operation 
by  setting 

(/l^i)  •  (/21 Z2)  —  (/3i Z\  +  Z2  +  8(g,fs)), 

using  the  notations  of  Proposition  5.8.4.  Similar  formulas  are  valid  with  8 
replaced  by  8'.  Recall  that  fe  is  not  uniquely  defined,  but  this  does  not  matter 
for  our  purposes  as  long  as  we  choose  fo  not  too  far  away  from  the  first  reduced 
form  that  one  meets  after  applying  p  to  /1  •  /2. 

Using  these  notations,  we  can  apply  Shanks’s  baby-step  giant-step  method 
to  compute  R(D).  Indeed,  although  the  principal  cycle  is  not  a  group,  because 
of  the  set  S  we  can  follow  the  value  of  8  through  composition  and  reduction. 
This  means  that  Shanks’s  method  allows  us  to  find  the  regulator  in  0(D1^+e) 
steps  instead  of  the  usual  0(D1/2+e).  If,  as  for  negative  discriminants,  we  also 
use  that  the  inverse  of  a  form  (a, 6, c)  is  a  form  equivalent  to  (a,— 6, c),  i.e. 
(a,r(— 6,  a),  (r(— 6,  a)2  —  D)/4a),  we  obtain  the  following  algorithm,  due  in 
essence  to  Shanks,  and  modified  by  Williams.  Note  that  we  give  the  algorithm 
using  Shanks’s  distance  8'  instead  of  8  since  it  is  slightly  more  efficient,  and 
also  we  use  the  language  of  continued  fractions  as  in  Algorithm  5.7.10,  in  other 
words,  instead  of  (0,6,  c)  we  use  (p,  q)  =  (6, 2|a|). 

Algorithm  5.8.5  (Regulator  Using  Infrastructure).  Given  a  positive  funda¬ 
mental  discriminant  D,  this  algorithm  computes  R(D).  We  assume  that  all  the 
real  numbers  involved  are  computed  with  a  finite  and  reasonably  small  accuracy. 
We  make  use  of  an  auxiliary  table  T  of  quadruplets  (q,p,e,R)  where  p,  q,  e  are 
integers  and  R  is  a  real  number. 

1.  [Initialize]  Precompute  /  <-  y/D,  and  set  d  4-  [y/D\,  e  <—  0,  R  <—  1, 

s  4-  \1.5Vd],  T  <r-  s  +  rin(4d)/(21n((l  +  %/5)/2))j  and  q  4—  2.  If  d  =  D 

(mod  2),  set  p  4—  d,  otherwise  set  p  4—  d  —  1.  Set  q\  =  (D  —  p2)/q,  i  4—0, 
and  store  the  (q,p,  e,  R)  in  T.  Finally,  let  2L  be  the  highest  power  of  2  such 
that  2 Lf  does  not  give  an  exponent  overflow. 

2.  [Small  steps]  Set  i  4—  i  +  1,  and  let  p  +  d  —  Aq  +  r  with  0  <  r  <  q 

be  the  Euclidean  division  of  p  +  d  by  q.  Set  p\  4—  p,  p  4—  d  —  r,  t  4—  q, 
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q  <—  q1  —  A(p  —  pi),  qi  <—  t,  R  <—  R(p  4-  f)/q\.  If  R  >  2L,  set  R  *—  R/2L, 
e  <—  e  +  1.  If  ^  <  d,  store  (g,p,  e,  R)  in  T. 

3.  [Finished  already?]  If  pi  =  p  and  i  >  1,  then  output 

R(L>)  =  2(ln(R)  +  eL  ln(2))  -  ln(gi/2) 

and  terminate  the  algorithm.  If  qi  =  q  and  i  >  1,  then  output 

R(D)  =  2(ln (R)  +  eL  ln(2))  -  ln((p  +  /)/2) 

and  terminate  the  algorithm.  If  i  =  s,  then  if  q  <  d,  set  (Q,P,E,Ri)  <— 
(q,p,e,R)  otherwise  (still  if  i  =  s)  set  s  <—  s  +  1  and  T  <—  T  4- 1.  Finally,  if 
i  <  T  go  to  step  2. 

4.  [Initialize  for  giant  steps]  Sort  table  T  lexicographically  (or  in  any  other  way). 
Then  using  the  composition  Algorithm  5.8.6  given  below,  compute 

(Qj-Pj E,  Ri) «—  (Q,P,E,Ri)  ■  (Q,P,  R,Ri), 

and  set  R  <—  1,  e  <—  0,  j  <—  1,  and  q  <—  Q,  p  <—  P. 

5.  [Match  found?]  If  (q,p)  =  {qi,Pi)  for  some  (gi,pi,ei,ri)  G  T,  output 

R(D)  =  j(ln(Ri)  +  EL ln(2))  +  ln(R)  +  eLln(2)  -  In (n)  -  eiLln(2) 
and  terminate  the  algorithm. 

If  ( q,r(-p,q ))  =  (?i,pi)  for  some  (gi,pi,ei,ri)  G  T,  output 
R(L>)  =  j  (ln(Ri)  ■ +EL  ln(2)) +ln(R) +eL  ln(2) +ln(ri) +eiL  ln(2) -\n{qi  /2) 
and  terminate  the  algorithm. 

6.  [Giant  steps]  Using  the  composition  Algorithm  5.8.6  below,  compute 

(q,P,e,R)  <-  (<?,p,  e,  R)  •  (Q,P,E,Ri), 


set  j  <—  j  +  1  and  go  to  step  5. 

We  need  to  compose  two  quadratic  forms  of  positive  discriminant  D,  ex¬ 
pressed  as  quadruplets  (q,p,  e,R),  where  the  pair  (e,  R)  keeps  track  of  the 
distance  from  1  (more  precisely  =  eLln2  +  InR),  and  the  form  itself 

is  (q,p,  (p2  ~  D)/q )  or  (— <7,p,  ( D  —  p2)/q)-  The  algorithm  is  identical  to  the 
positive  definite  case  (Algorithm  5.4.7),  except  that  the  reduction  in  step  4 
must  be  done  using  Algorithm  5.6.5  (i.e.  powers  of  p)  instead  of  Algorithm 
5.4.2.  We  must  also  keep  track  of  the  distance  function,  and,  since  we  use  S' 
instead  of  6 ,  we  must  subtract  a  ln(di)  (i.e.  divide  by  di)  where  d\  is  the 
computed  GCD. 

This  leads  to  the  following  algorithm. 
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Algorithm  5.8.6  (Composition  of  Indefinite  Forms  with  Distance  Function). 
Given  two  quadruplets  (qi,Pi,ei,Ri)  and  (<j2,p2,e2,  R-2)  as  above  (in  particular 
with  qi  even  and  positive),  this  algorithm  computes  the  composition 

(#3 j P3 ) 63 > R3 )  =  (<?i>Pi, ei, Ri)  •  ( q2,P2,e2,R2 )• 

We  assume  /  4—  \[D  already  computed  to  sufficient  accuracy. 

1.  [Initialize]  If  q\  >  q2,  exchange  the  quadruplets.  Then  set  s  4—  %{pi  +P2), 
n  <r~  p2-  s. 

2.  [First  Euclidean  step]  If  q\  |  q2,  set  yi  4—  0  and  d  4—  qi/2.  Otherwise,  using 
Euclid's  extended  algorithm,  compute  (u,  v,d)  such  that  uq2/2  +  vqi/2  =  d  = 
gcd(q2/2,qi/2)  and  set  yi  4—  u. 

3.  [Second  Euclidean  step]  If  d  |  s,  set  y2  * - 1,  x2  *—  0  and  d\  4—  d.  Otherwise, 

using  Euclid’s  extended  algorithm,  compute  ( u,v,d\ )  such  that  us  +  vd  = 
di  =  gcd (s,d),  and  set  x2  <—  u,  y2  < - v. 

4.  [Compose]  Set  4-  q1/(2d1),  v2  *-  q2/(2d1),  r  4-  ((j/iy2n  -  x2(p2  - 
D)/(2q2)  mod  v{),  pz*—p2  +  2 v2r,  q3  4-  2^iv2. 

5.  [initialize  reduction]  Set  4—  e\  +  e2  and  R3  4—  R1R2/di.  If  R3  >  2L,  set 
R3  Rz/2L  and  e3  4-  e3  +  1. 

6.  [Reduced?]  If  |/ —  g3|  <  p3,  then  output  (y3,P3,e3,i?3)  and  terminate  the 
algorithm.  Otherwise,  set  p3  4-  r(-p3,y3/ 2),  R3  *-  i?3(P3  +  /)Afe.  <13  *- 
(D  —  p3)/^3,  and  if  R3  >  2L  set  R3  4—  Rz/ 2L  and  e3  4—  e3  +  1.  Finally,  go 
to  step  6. 

Note  that  r(— p3,  y3/2)  is  easily  computed  by  a  suitable  Euclidean  division. 

This  algorithm  performs  very  well,  and  one  can  compute  regulators  of 
real  quadratic  fields  with  discriminants  with  up  to  20  digits  in  reasonable 
time.  To  go  beyond  this  requires  new  ideas  which  are  essentially  the  same  as 
the  ones  used  in  McCurley’s  sub-exponential  algorithm  and  will  in  fact  give 
us  simultaneously  the  regulator  and  the  class  group.  We  will  study  this  in 
Section  5.9. 


5.8.3  Compact  Representation  of  the  Fundamental  Unit 

The  algorithms  that  we  have  seen  above  allow  us  to  compute  the  regulator  of 
a  real  quadratic  field  to  any  desired  accuracy.  If  this  accuracy  is  high,  however, 
and  in  particular  if  we  want  infinite  accuracy  (i.e.  the  fundamental  unit  itself 
and  not  its  logarithm),  we  must  not  apply  the  algorithms  exactly  as  they  are 
written.  The  reason  for  this  is  that  by  using  the  infrastructure  ideas  of  Shanks 
(essentially  the  distance  function),  the  knowledge  of  a  crude  approximation 
to  the  regulator  R(D)  (say  only  its  integer  part)  allows  us  to  compute  it  very 
fast  to  any  desired  accuracy.  Let  us  see  how  this  is  done. 

Let  /  be  the  form  p(l).  It  is  the  first  form  encountered  in  the  principal  cycle 
when  we  start  at  the  unit  form,  and  in  particular  has  the  smallest  distance  to 
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1.  Assume  that  after  applying  one  of  the  regulator  algorithms  we  know  that 
Ri  <  R(D )  <  i?2  (this  can  be  a  very  crude  estimate,  for  example  we  could  ask 
that  R2  —  R\  <  1).  By  using  the  same  idea  as  in  Exercise  4  of  Chapter  1,  it  is 
easy  to  find  in  time  0(\n(D))  composition  operations,  an  integer  n  such  that 
6(1,/”)  <  R\  and  6(1, /n+1)  >  R\.  This  implies  that  /”  is  before  the  unit 
form  in  the  principal  cycle  (counting  in  terms  of  increasing  distances),  but  not 
much  before  since  R2  —  R\  is  small.  Hence,  there  exists  a  small  k  >  0  which 
one  finds  by  simply  trying  k  =  0, 1, . . .  such  that  1  =  pk{fn)-  Note  that  this 
is  checked  on  the  exact  components  of  the  forms,  not  on  the  distance.  Hence, 
we  now  assume  that  k  and  n  have  been  found. 

If  we  want  the  regulator  very  precisely,  we  recompute  /  =  p(l)  to  the 
desired  accuracy,  and  then  the  distance  component  of  pk{fn )  will  give  us  the 
regulator  to  the  accuracy  that  we  want. 

If  we  want  the  fundamental  unit  itself,  note  that  by  Proposition  5.8.4  the 
composition  of  two  forms  implies  the  addition  of  three  distances,  or  equiva¬ 
lently  the  multiplication  of  three  quadratic  numbers.  For  the  p  operator,  only 
one  such  multiplication  is  required.  Finally,  note  that  k  will  be  0(ln(Z)))  and 
n  will  be  0{\fD)  hence  only  0(ln(D))  composition  or  reduction  steps  are  re¬ 
quired  to  compute  pK{fn)-  This  implies  that  we  can  express  the  fundamental 
unit  as  a  product  of  at  most  0(\n(D))  terms  of  the  form  ( 6  4-  \/Z))/(2|a|) 
(or  |(6  +  y/D)/(b  —  y/~D)  |  if  we  use  the  distance  6  instead  of  6')  and  this  is  a 
compact  way  of  keeping  the  fundamental  unit  even  when  D  is  very  large. 

Let  us  give  a  numerical  example.  Take  D  =  10209.  A  rough  computation 
using  one  of  the  regulator  algorithms  shows  that  R{D)  «  67.7.  Furthermore, 
one  computes  that  /  =  p(  1)  =  (—2, 99, 51).  The  binary  algorithm  gives  fu  = 
(1,101,-2)  =  1  with  6'(1,/14)  «  67.7.  Note  that  this  exponent  14  is  not 
at  all  canonical  and  depends  on  the  number  of  reduction  steps  performed  at 
each  composition,  and  on  the  order  in  which  the  compositions  steps  are  made. 
Here,  we  assume  that  we  stop  applying  p  as  soon  as  the  form  is  reduced,  and 
that  /”  is  computed  using  the  right-left  binary  powering  Algorithm  1.2.1. 

We  now  start  again  recomputing  /  and  /14,  keeping  the  quantities 
(6  -1-  y/D)/(2\a\)\  that  are  multiplied,  along  with  their  exponents.  If  e  is  the 
fundamental  unit,  we  obtain 

_  ( IOI  +  v'dV4  ( 111  +  y/D\3  1219  +  VD 
€~  \  2  J  y  32  j  3  242 

351  +  y/D  77  +  y/D  93  +  y/D 
264  428  780 

The  lonely  1/3  in  the  middle  is  due  to  the  use  of  the  imperfect  distance 
function  6'  which  as  we  have  already  mentioned  introduces  extra  quantities 
—  In  d  in  the  compositions. 

If  we  instead  use  the  distance  6,  we  obtain  e2  =  r/r  with 

r  =  (101  +  v^)14(lll  +  v^)3(219  +  y/D)(  197  +  ^(103  +  VD). 
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Hence,  to  represent  e,  we  could  simply  keep  the  pairs  (101,14),  (111,3), 
(219,1),  (197,1)  and  (103,1).  It  is  a  matter  of  taste  which  of  the  two  rep¬ 
resentations  above  is  preferable.  Note  that  in  fact 

e  =  130969496245430263159443178775  +  1296219513663218157975941956\/D 

which  does  not  really  take  more  space,  but  for  larger  discriminants  this  kind 
of  explicit  representation  becomes  impossible,  while  the  compact  one  survives 
without  any  problem  since  there  are  only  0(\n(D))  terms  of  size  0(\n(D))  to 
be  kept. 

In  [Buc-Thi-Wil] ,  the  authors  have  given  a  slightly  more  elegant  compact 
representation  of  the  fundamental  unit,  but  the  basic  principle  is  the  same. 
This  idea  can  be  generalized  to  the  representation  of  algebraic  numbers  (and 
not  only  units),  and  to  any  number  field. 


5.8.4  Uther  Application  and  Generalization  of  the  .Distance 
Function 

An  important  aspect  of  the  distance  function  should  be  stressed  at  this  point. 
Not  only  does  it  give  us  a  fundamental  hold  on  the  fine  structure  of  units,  but 
it  also  allows  us  to  solve  the  principal  ideal  problem  which  is  the  following. 
Assume  that  a  is  an  integral  ideal  of  7Lk  which  is  known  to  be  a  principal  ideal 
(for  example  because  a  =  bh  for  some  ideal  b,  where  h  is  the  class  number 
of  K).  Assume  that  we  know  the  distance  function  6(1,  a).  Then  it  is  easy  to 
find  an  element  7  such  that  a  =  7Z k  using  the  formulas 

7  =  ±y/ J\f (a)e6(1,a\  <7(7)  =  ±y/Af(a)e~8^1,a\ 

This  leaves  only  2  possibilities  for  ±7,  and  usually  only  one  will  belong  to  K. 
Note  that  since  6  is  defined  only  in  R/RZ,  7  will  be  defined  up  to  multiplication 
by  a  unit. 

Similarly,  if  the  distance  function  <5'(1,  a)  is  known,  we  use  the  formulas 

7  =  ±e<5(1,a),  £7(7)  =  ±J\f(a)e~s  ^1,a^. 

The  distance  function  8  can  be  naturally  generalized  to  arbitrary  number 
fields  K  as  follows.  Let 


L{x)  =  (In  |<7i(a;)|, . . . ,  In  |<rri(a;)|,  2  In  |<7ri+i(x)|, . . . ,  2 In  |<7ri+r2(a;)|) 


be  the  logarithmic  embedding  of  K*  into  Rri+r2  seen  in  Definition  4.9.6,  where 
(77,  r2)  is  the  signature  of  K.  If  n  =  77  +  2r2  is  the  degree  of  K,  we  will  set 


A(a,7a)=L(7/|Ar*/Q(7)|1/n), 

where  it  is  understood  that  the  <7*  act  trivially  on  the  n-th  roots  of  the  norms. 
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Then  A  belongs  to  the  hyperplane  X)i<i<n+r2  x*  =  ®  °f  ®ri+ra  and  is 
defined  modulo  the  lattice  which  is  the  image  of  the  group  of  units  U(K) 
under  the  embedding  L(x). 

In  the  case  where  K  is  a  real  quadratic  field,  then  clearly  A  =  (6,-6),  so 
this  is  a  reasonable  generalization  of  6.  If  K  is  an  imaginary  quadratic  field, 
we  have  A  =  0. 

The  principal  ideal  problem  can,  of  course,  be  asked  in  general  number 
fields  and  it  is  clear  that  A  cannot  help  us  to  solve  it  in  general  since  it 
cannot  do  so  even  for  imaginary  quadratic  fields.  For  this  specific  application, 
the  logarithmic  embedding  L  should  be  replaced  by  the  ordinary  embedding 

(ai(rr),...,  (Jri  (:r),  <rri+i(:r), . . 

•  >  0>i+r2  (*)) 


of  K  into  Mri  x  <Cr2 . 

The  components  of  this  embedding  are  in  general  too  large  to  be  rep¬ 
resented  exactly,  hence  we  will  preferably  choose  the  complex  logarithmic 
embedding 

Lc(x)  =  (In  ax {x In  vri  (rr),  2  In oy1+i (x), . . . ,  2  In oy,  +r2  (x)), 

where  the  logarithms  are  defined  up  to  addition  of  an  integer  multiple  of  2in. 
Note  that  this  requires  only  twice  as  much  storage  space  as  the  embedding 
L,  and  also  that  the  first  77  components  have  an  imaginary  part  which  is  a 
multiple  of  7r.  Let  V  =  (nj)i<j<ri+r2  be  the  vector  such  that  h*  =  1  for  i  <  r\ 
and  rii  =  2  otherwise.  We  can  then  define 


Ac(a,7a)  =  Lc{ 7)  -  -  ^ 

n 

and  it  is  clear  that  the  sum  of  the  77  +  r2  components  of  Ac  is  an  integral 
multiple  of  2in.  We  will  see  the  use  of  this  function  in  Section  6.5. 


5.9  Buchmann’s  Sub-exponential  Algorithm 

We  will  now  describe  a  fast  algorithm  for  computing  the  class  group  and  the 
regulator  of  a  real  quadratic  field,  which  uses  essentially  the  same  ideas  as 
Algorithm  5.5.2. 

Although  the  main  ideas  are  in  McCurley  and  Shanks,  I  have  seen  this 
algorithm  explained  only  in  manuscripts  of  J.  Buchmann  whom  I  heartily 
thank  for  the  many  conversations  which  we  have  had  together.  The  first  im¬ 
plementation  of  this  algorithm  is  due  to  Cohen,  Diaz  y  Diaz  and  Olivier  (see 
[CohDiOl]). 
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5.9.1  Outline  of  the  Algorithm 

We  will  follow  very  closely  Algorithm  5.5.2,  and  use  the  distance  function  8 
and  not  Shanks’s  distance  S'  which  we  used  in  Algorithm  5.8.5. 

As  we  have  already  explained,  in  the  quadratic  case  it  is  simpler  to  work 
with  forms  instead  of  directly  with  ideals.  Note  however  that  because  of  Theo¬ 
rem  5.2.9,  we  will  be  computing  the  narrow  ideal  class  group  and  the  regulator 
in  the  narrow  sense,  since  this  is  the  natural  correspondence  with  quadratic 
forms.  If,  on  the  other  hand,  we  want  the  ideal  class  group  and  the  regula¬ 
tor  in  the  ordinary  sense,  then,  according  to  Proposition  5.6.1,  we  will  have  to 
identify  the  form  (a,  6,  c)  with  the  form  (—a,  6,—  c).  (This  is  implicitly  what  we 
did  in  Algorithm  5.8.5.)  Although  it  is  very  easy  to  combine  both  procedures 
into  a  single  algorithm,  note  that  the  computations  are  independent.  More 
precisely,  to  the  best  of  my  knowledge  it  does  not  seem  to  be  easy,  given  the 
ideal  class  group  and  regulator  in  one  sense  (narrow  or  ordinary)  to  deduce 
the  ideal  class  group  and  regulator  in  the  other  sense,  although  of  course  only 
a  factor  of  2  is  involved.  We  will  describe  the  algorithm  for  the  class  group  and 
regulator  in  the  ordinary  sense,  leaving  to  the  reader  the  simple  modifications 
that  must  be  made  to  obtain  the  class  group  and  regulator  in  the  narrow  sense 
(see  Exercise  26). 

We  now  describe  the  outline  of  the  algorithm.  As  in  Algorithm  5.8.5,  we 
keep  track  of  the  distance  function  as  a  pair  (e,  R),  but  this  time  we  will 
keep  all  three  coefficients  of  the  quadratic  form.  Also,  we  are  going  to  use  the 
distance  8  instead  of  8',  and  since  there  is  a  factor  1/2  in  the  definition  of  8 , 
we  will  use  the  correspondence  <5(/0, /)  =  (eL  In  2  +  In  R)/2  for  some  fixed 
form  /0  equivalent  to  /. 

In  other  words,  in  this  section  a  quadratic  form  of  positive  discriminant 
will  be  a  quintuplet  /  =  (a,  b,  c,  e,  R )  where  a,  6,  c  and  e  are  integers  and  R  is 
a  real  number  such  that  1  <  R  <  2L. 

We  can  compose  two  such  forms  by  using  the  following  algorithm,  which 
is  a  trivial  modification  of  Algorithm  5.8.6. 

Algorithm  5.9.1  (Composition  of  Indefinite  Forms  with  Distance  Function). 
Given  two  primitive  quadratic  forms  (ai,&i,ci,ei,.Ri)  and  (a2,  b2,  C2,  e2,  #2)  as 
above,  this  algorithm  computes  the  composition 

(03,63,03,63,^3)  =  (aii&i,ci,ei,.Ri)  ■  (a2,b2,c2,e2,R2). 

We  assume  /  <—  y/~D  already  computed  to  sufficient  accuracy. 

1.  [Initialize]  If  |ai|  >  |a2 1  exchange  the  quintuplets.  Then  set  s  <—  |(&i  4-  62), 
n  <—  62  —  s. 

2.  [First  Euclidean  step]  If  ai  \  a2,  set  y\  <—  0  and  d  +—  |ai|.  Otherwise,  using 
Euclid's  extended  algorithm,  compute  u,  v  and  d  such  that  ua2  4-  va\  =  d  — 
gcd(a2,ai)  and  set  yi  <—  u. 

3.  [Second  Euclidean  step]  If  d  \  s,  set  y2  < - 1,  x2  <—  0  and  d\  <—  d.  Otherwise, 

again  using  Euclid’s  extended  algorithm,  compute  (u,  v,  d{)  such  that  us+vd  = 
d\  =  gcd(s,d),  and  set  x2  <—  u  and  y2  < - v. 


290 


5  Algorithms  for  Quadratic  Fields 


4.  [Compose]  Set  Vi  «—  ai/d\,  v2  <—  a2/di,  r  *—  (yiy-in  —  x2c2  mod  ui),  63  <— 
b2  +  2v2 r  and  03  *—  viv2. 

5.  [Initialize  reduction]  Set  e3  <—  e\  4-  e2,  R3  <—  R\R2.  If  R3  >  2L,  set  R3  <— 
R3/ 2L  and  e3  <—  e3  4- 1. 

6.  [Reduced?]  If  |/  -  2|a3||  <  63  <  /,  then  output  (a3, 63,  C3,  e3,  R3)  and  termi¬ 
nate  the  algorithm. 

7.  [Apply  p)  Set  R3  4-  JR3|(63  +  f)/(b3  -  f)\  and  if  R3  >  2L,  set  R3  «-  i?3/2L 
and  e3  4—  e3  4- 1.  Then  set  a3  <-  c3l  63  <-  r(-f>3,c3),  c3  4-  (6§  -  £>)/a3  and 
go  to  step  6. 

Note  that,  apart  from  some  absolute  value  signs,  steps  1  to  4  are  identical 
to  the  corresponding  steps  in  Algorithm  5.4.7,  but  the  reduction  operation 
is  quite  different  since  it  involves  iterating  the  function  p  in  step  7  of  the 
algorithm  and  the  bookkeeping  necessary  for  the  distance  function. 

Returning  to  Buchmann’s  algorithm,  what  we  will  do  is  essentially,  instead 
of  keeping  track  only  of  fp  =  (p,  bp,  (6*  —  D)/(4p)),  we  also  keep  track  of  the 
distance  function.  Hence,  in  step  3  of  Algorithm  5.5.2,  we  compute  the  product 
np<P  /pP>  doing  the  reduction  at  each  product  (of  course  the  reduction  being 
non-unique),  and  keeping  track  of  the  distance  function  thanks  to  Theorem 
5.8.4.  In  this  way  we  obtain  a  reduced  form  f  =  (a,  b,c)  equivalent  to  the 
above  product,  and  also  the  value  of  ^(F[p<p /pP>/)-  Since  we  identify 
(a,b,c)  with  (— a,  6,—  c),  we  will  replace  (a, 6,  cj~by  (|a|,  b,  —  |c|). 

If  a  does  not  factor  easily,  in  step  5  we  have  the  option  of  doing  more 
reduction  steps  instead  of  going  back  to  step  4  in  the  hope  of  getting  an  easily 
factorable  a.  Since  this  is  much  faster  than  recomputing  a  new  product,  we 
will  use  this  method  as  much  as  possible.  Note  that,  although  we  have  extra 
computations  to  make  because  of  the  distance  function,  the  basic  computa¬ 
tional  steps  will  be  faster  than  in  the  imaginary  quadratic  case,  hence  this 
algorithm  will  be  faster  than  the  corresponding  one  for  imaginary  quadratic 
fields. 

This  behavior  is  to  be  expected  since  on  heuristic  and  experimental 
grounds  class  numbers  of  real  quadratic  fields  are  much  smaller  than  those 
of  imaginary  quadratic  fields. 

Finally,  if  a  factors  easily,  in  step  5  we  compute  not  only  a^k  for  1  <  i  <  n, 
but  also  an+i,fc4- 6(1,  fg~1)  where  g  =zYlp<PfppVp  and  6(1,  fg*1)  is  computed 
as  usual  at  the  same  time  as  the  product  is  done,  using  Theorem  5.8.4. 

We  thus  obtain  a  matrix  A  =  (ojj)  with  n4- 1  rows  and  k  columns,  whose 
entries  in  the  first  n  rows  are  integers  and  the  entries  in  the  last  row  are  real 
numbers.  Note  that  by  definition,  for  every  j  <  k  we  have 


<5  U,  IT  =«»+W  (mod  R(D)). 


5.9  Buchmann’s  Sub-exponential  Algorithm 


291 


Since  the  distance  function  that  we  have  chosen  is  exactly  additive,  it  fol¬ 
lows  that  when  performing  column  operations  on  the  complete  matrix  A,  this 
relation  between  the  n  4-  1-st  component  and  the  others  is  preserved. 

Hence  we  apply  Hermite  reduction  to  the  matrix  formed  by  the  first  n 
rows,  but  performing  the  corresponding  column  operations  also  the  entries  of 
the  last  row.  The  first  k  —  n  columns  of  the  resulting  matrix  will  thus  have 
only  zero  entries,  except  perhaps  for  the  entry  in  the  n  4-  1-st  row.  By  the 
remark  made  above,  for  1  <  j  <  k  —  n  we  will  thus  have 

a>n+i,j  =  6(1, 1)  =  0  (mod  R(D)), 

in  other  words  an+ij  is  equal  to  a  multiple  of  the  regulator  R(D )  for  1  <  j  < 
k  —n. 

If  k  is  large  enough,  it  follows  that  in  a  certain  sense  the  GCD  of  the 
an+  ij  for  1  <  j  <  k  —  n  should  be  exactly  equal  to  R(D).  We  must  be 
careful  in  the  computation  of  this  “GCD”  since  we  are  dealing  with  inexact 
real  numbers.  For  this  purpose,  we  can  either  use  the  LLL  algorithm  which 
will  give  us  a  small  linear  combination  of  the  an+i,j  for  1  <  j  <  k  —  n  with 
integral  coefficients,  which  should  be  the  regulator  R(D ),  or  use  the  “real 
GCD”  Algorithm  5.9.3  as  described  below. 

The  rest  of  the  algorithm  will  compute  the  class  group  structure  in  essen¬ 
tially  the  same  way,  except  of  course  that  in  step  1  one  must  use  the  analytic 
class  number  formula  for  positive  discriminants  (Proposition  5.6.9). 


5.9.2  uetailed  uescription  of  Jtsuchmann’s  Sub-exponential 
Algorithm 

A  practical  implementation  of  this  algorithm  should  take  into  account  at  least 
two  remarks.  First,  note  that  most  of  the  time  is  spent  in  looking  for  relations. 
Hence,  it  is  a  waste  of  time  to  compute  with  the  distance  function  during  the 
search  for  relations:  we  do  the  search  only  with  the  components  (a,  6,  c)  of  the 
quadratic  forms,  and  only  in  the  rare  cases  where  a  relation  is  obtained  do 
we  recompute  the  relation  with  the  distance  function.  The  slight  loss  of  time 
due  to  the  recomputation  of  each  relation  is  more  than  compensated  by  the 
gain  obtained  by  not  computing  the  distance  function  during  the  search  for 
relations. 

The  second  remark  is  that,  as  in  McCurley’s  sub-exponential  algorithm, 
the  Hermite  reduction  of  the  first  n  rows  must  be  performed  modulo  a  multiple 
of  the  determinant,  which  can  be  computed  before  starting  the  reduction.  In 
other  words,  we  will  use  Algorithm  2.4.8.  The  reduction  of  the  last  row  is 
however  another  problem,  and  in  the  implementation  due  to  the  author,  Diaz 
y  Diaz  and  Olivier,  the  best  method  found  was  to  compute  the  integer  kernel 
of  the  integer  matrix  formed  by  the  first  n  rows  using  Algorithm  2.7.2,  and 
multiply  the  n  4-  1-st  row  of  distances  by  this  kernel,  thus  obtaining  a  vector 
whose  components  are  (approximately)  small  multiples  of  the  regulator,  and 
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we  find  the  regulator  itself  using  one  of  the  methods  explained  above,  for 
example  the  LLL  algorithm. 

These  remarks  lead  to  the  following  algorithm. 


Algorithm  5.9.2  (Sub- Exponential  Real  Class  Group  and  Regulator).  If 
D  >  0  is  a  non-square  discriminant,  this  algorithm  computes  the  class  number 
h(D),  the  class  group  Cl(D)  and  the  regulator  R(D).  As  before,  in  practice  we 
work  with  binary  quadratic  forms.  We  also  choose  at  will  a  positive  real  constant 
b. 

1.  [Compute  primes  and  Euler  product]  Set  m  <—  b\n2D,  M  <-  L{D)1^, 
P  <—  [max(m,  M) J 

V  <—  |p  <  P,  ^  —1  and  p  good 

and  compute  the  product 


B 


-l 


p ) 


2.  [Compute  prime  forms]  Let  Vo  be  the  set  made  up  of  the  smallest  primes 
of  V  not  dividing  D  such  that  YlPev0P  >  F°r  ^e  Pr'mes  P  ^  'P  do 
the  following.  Compute  bp  such  that  bp  =  D  (mod  4 p)  using  Algorithm  1.5.1 
(and  modifying  the  result  to  get  the  correct  parity).  If  bp  >  p,  set  bp  <—  2 p—bp. 
Set  fp  <-  (p,  bp,  (bp—D)/(&p))  and  gp  <-  (p,bp,  (&J-b)/(4p),0, 1.0)  Finally, 
let  n  be  the  number  of  primes  p  €  V. 

3.  [Compute  powers]  For  each  p  €  Vo  and  each  integer  e  such  that  1  <  e  <  20 
compute  and  store  a  reduced  form  equivalent  to  fp.  Set  k  <—  0. 

4.  [Generate  random  relations]  Let  fq  be  the  primeform  number  k  +  1  mod  n  in 
the  factor  base.  Choose  random  ep  between  1  and  20,  and  compute  a  reduced 
form  (a,  6,  c)  equivalent  to 

/» n  fpr 

pev o 

by  using  the  composition  algorithm  for  positive  binary  quadratic  forms,  re¬ 
placing  the  final  reduction  step  by  a  sufficient  number  of  applications  of  the 
p  operator  (note  that  fpp  has  already  been  computed  in  step  3).  Set  ep  <—  0 
if  p  <£  Vo  then  eq  <—  eq  +  1.  Set  (a0,  b0, Co)  <—  (a,  b,  c),  r  <—  0  and  go  to  step 
6. 

5.  [Apply  p ]  Set  (a,  b,c)  <—  p(a,6,c)  and  r  <—  r  -f  1.  If  \a\  =  |ao|  and  r  is  odd, 
or  if  b  =  bo  and  r  is  even,  go  to  step  4. 

6.  [Factor  |a|]  Factor  |a|  using  trial  division.  If  a  prime  factor  of  |a|  is  larger 
than  P,  do  not  continue  the  factorization  and  go  to  step  5.  Otherwise,  if 
M  =  UP<pPVp'  set  k  *—  k  +  1,  and  for  i  <  n  set 
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a*,k  +—  €pi  €pivpi 

where  ePi  =  +1  if  (6  mod  2 pi)  <  pit  ePi  =  —  1  otherwise. 

7.  [Recompute  relation  with  distance]  Compute 

(ao,&o,co,eo,  Ro)  <—  gq  gpF 

pG'Po 

by  mimicking  the  order  of  squarings,  compositions  and  reductions  done  to 
compute  (ao, bo, Co),  but  this  time  using  Algorithm  5.9.1  for  composition. 
Then  compute  (a,  b,  c,  e,  R )  *-  pr(ao,  b0,  Co,  cq,  R0 )  by  applying  the  formulas 
of  step  7  of  Algorithm  5.9.1  to  our  forms.  Finally,  set  an+i,fc  ( eLln2  + 

In  R)/2. 

8.  [Enough  relations?]  If  k  <  n  +  10  go  to  step  4. 

9.  [Be  honest]  For  each  prime  q  such  that  P  <  q  <  61n2D  do  the  following. 
Choose  random  ep  between  1  and  20  (say),  compute  the  primeform  fq  cor¬ 
responding  to  q  and  some  reduced  form  ( a,b,c )  equivalent  to  fq  Y[p<z-p0  fpp- 
If  a  does  not  factor  into  primes  less  than  q,  choose  other  exponents  ep  and 
continue  until  a  factors  into  such  primes  (or  apply  the  p  operator  as  in  step 
5).  Then  go  on  to  the  next  prime  q  until  the  list  is  exhausted. 

10.  [Simple  HNF]  Perform  a  preliminary  simple  Hermite  reduction  on  the  (n  + 
1)  x  k  matrix  A  =  (ctij)  as  described  in  the  remarks  following  Algorithm 
5.5.2.  In  this  reduction,  only  the  first  n  rows  should  be  examined,  but  column 
operations  should  of  course  be  done  also  with  the  n-l-  1-st  row.  Let  A\  be  the 
matrix  thus  obtained  without  its  last  row,  and  let  V  be  the  last  row  (whose 
components  are  linear  combinations  of  distances). 

11.  [Compute  regulator]  Using  Algorithm  2.7.2,  compute  the  LLL-reduced  integral 
kernel  M  of  A\  as  a  rectangular  matrix,  and  set  V  <—  VM.  Let  s  be  the 
number  of  elements  of  V.  Set  R  <—  |Vi|,  and  for  i  =  2, . . . ,  s  set  R  *— 
RGCD(R,  |Vi|)  where  RGCD  is  the  real  GCD  algorithm  described  below. 
(Now  R  is  probably  the  regulator.) 

12.  [Compute  determinant]  Using  standard  Gaussian  elimination  techniques,  com¬ 
pute  the  determinant  of  the  lattice  generated  by  the  columns  of  the  matrix 
Ai  modulo  small  primes  p.  Then  compute  the  determinant  d  exactly  using 
the  Chinese  remainder  theorem  and  Hadamard’s  inequality  (see  also  Exercise 
13). 

13.  [HNF  reduction]  Using  Algorithm  2.4.8  compute  the  Hermite  normal  form 
H  =  {hitj)  of  the  matrix  A\  using  modulo  d  techniques.  Then  for  every  i 
such  that  hiti  =  1,  suppress  row  and  column  i.  Let  W  be  the  resulting  matrix. 

14.  [Finished?]  Let  h  <—  det(VI7)  (i.e.  the  product  of  the  diagonal  elements).  If 
hR  >  By/ 2,  get  5  more  relations  (in  steps  4,  5  and  6)  and  go  to  step  10. 
(It  will  not  be  necessary  to  recompute  the  whole  HNF,  only  that  which  takes 
into  account  the  last  5  columns.)  Otherwise,  output  h,  as  the  class  number 
and  R  as  the  regulator. 
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15.  [Class  group]  Compute  the  Smith  normal  form  of  W  using  Algorithm  2.4.14. 
Output  those  among  the  diagonal  elements  di  which  are  greater  than  1  as 
the  invariants  of  the  class  group  (i.e.  Cl(D)  =  ®  Z/djZ)  and  terminate  the 
algorithm. 

The  real  GCD  algorithm  is  copied  on  the  ordinary  Euclidean  algorithm,  as 
follows.  We  use  in  an  essential  way  that  the  regulator  is  bounded  from  below 
(by  1  for  real  quadratic  fields  of  discriminant  greater  than  8)  so  as  to  have 
a  reasonable  stopping  criterion.  Since  we  will  also  use  it  for  general  number 
fields,  we  use  0.2  as  a  lower  bound  of  the  regulators  of  all  number  fields  (see 
[Ziml],  [Fri]). 

Algorithm  5.9.3  (Real  GCD).  Given  two  non-negative  real  numbers  a  and  b 
which  are  known  to  be  approximate  integer  multiples  of  some  positive  real  number 
R  >  0.2,  this  algorithm  outputs  the  real  GCD  (RGCD)  of  a  and  b,  i.e.  a  non¬ 
negative  real  number  d  which  is  an  approximate  integer  multiple  of  R  and  divisor 
of  a  and  b,  and  is  the  largest  with  this  property.  The  algorithm  also  outputs  an 
estimate  on  the  absolute  error  for  d. 

1.  [Finished?]  If  6  <  0.2,  then  output  a  as  the  RGCD,  and  b  as  the  absolute  error 
and  terminate  the  algorithm. 

2.  [Euclidean  step]  Let  r  *—  a  —  b\a/b\ ,  a  *—  b,  b  <—  r  and  go  to  step  1. 
Remarks. 

(1)  It  should  be  noted  that  not  only  does  Algorithm  5.9.2  compute  the  class 
number  and  class  group  in  sub-exponential  time,  but  it  is  the  only  algo¬ 
rithm  which  is  able  to  compute  the  regulator  in  sub-exponential  time,  even 
if  we  are  not  interested  in  the  class  number.  In  fact,  in  all  the  preceding 
algorithms,  we  first  had  to  compute  the  regulator  (for  example  using  the 
infrastructure  Algorithm  5.8.5),  and  combining  this  with  the  analytic  class 
number  formula  giving  the  product  h(D)R(D),  we  could  then  embark  on 
the  computation  of  h(D)  and  Cl{D).  The  present  algorithm  goes  the  other 
way:  we  can  in  fact  compute  a  small  multiple  of  the  class  number  alone, 
without  using  distances  at  all,  and  then  compute  the  distances  and  the 
regulator,  and  at  that  point  use  the  analytic  class  number  formula  to  check 
that  we  have  the  correct  regulator  and  class  number,  and  not  multiples. 

(2)  In  an  actual  implementation  of  this  algorithm,  one  should  keep  track  of  the 
absolute  error  of  each  real  number.  First,  in  the  distance  computation  in 
step  7,  the  precision  with  which  the  computations  are  done  gives  a  bound 
on  the  absolute  error.  Then,  during  steps  10  and  11,  Z- linear  combinations 
of  distances  will  be  computed,  and  the  errors  updated  accordingly  (with 
suitable  absolute  value  signs  everywhere) .  Finally,  in  the  last  part  of  step 
11  where  real  GCD’s  are  computed,  one  should  use  the  errors  output  by 
Algorithm  5.9.3. 

(3)  Essentially  all  the  implementation  details  given  for  Algorithm  5.5.2  apply 
also  here. 
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5.10  The  Cohen-Lenstra  Heuristics 

The  purpose  of  this  section  is  to  explain  a  number  of  observations  which 
have  been  made  on  tables  of  class  groups  and  regulators  of  quadratic  fields. 
As  already  mentioned  very  few  theorems  exist  (in  fact  essentially  only  the 
theorem  of  Brauer-Siegel  and  the  theorem  of  Goldfeld-Gross-Zagier)  so  most 
of  the  explanations  will  be  conjectural.  These  conjectures  are  however  based 
on  solid  heuristic  grounds  so  they  may  well  turn  out  to  be  correct.  As  usual, 
we  first  start  with  imaginary  quadratic  fields. 


5.10.1  Results  and  Heuristics  for  Imaginary  Quadratic  Fields 

In  this  subsection  K  will  denote  the  unique  imaginary  quadratic  field  of  dis¬ 
criminant  D  <  0.  As  we  have  seen,  the  only  problem  here  is  the  behavior  of 
the  class  group  Cl(D)  and  hence  of  the  class  number  h(D),  all  other  basic 
problems  being  trivial  to  solve. 

Here  the  Brauer-Siegel  theorem  says  that  In {h(D))  ln(vWf)  as  D  -> 
— oo,  which  shows  that  h(D )  tends  to  infinity  at  least  as  fast  as  |D|1/,2-£  and 
at  most  as  fast  as  \D\^2+e  for  every  e  >  0.  The  main  problem  is  that  this  is 
not  effective  in  a  very  strong  sense,  and  this  is  why  one  has  had  to  wait  for 
the  Gross- Zagier  result  to  get  any  kind  of  effective  result,  and  a  very  weak  one 
at  that  since  using  their  methods  one  can  show  only  that 

ft(D)>^ln(|D|)n(l-|^-). 

V\D  V  ^  ' 

where  K  =  55  if  ( D ,  5077)  =  1  and  K  =  7000  otherwise,  and  the  star  indicates 
that  the  product  is  taken  over  all  prime  divisors  p  of  D  with  the  exception  of 
the  largest  prime  divisor  (see  [Oes]).  This  is  of  course  much  weaker  than  the 
Brauer-Siegel  theorem. 

Results  in  the  other  direction  are  much  easier.  For  example,  one  can  show 
that  for  all  D  <  —  4,  we  have 

A(0)<TvTDiln(|0|) 

7T 

(see  Exercise  27).  Similarly,  it  is  very  easy  to  obtain  average  results,  which 
were  known  since  Gauss.  The  result  is  as  follows  (see  [Ayo]). 

^.3/2 

m  ~  —  c 

where  the  sum  runs  over  fundamental  discriminants  and 

c-n(‘-5>5rf«) 


0.881538397. 
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Since  by  Exercise  1  the  number  of  fundamental  discriminants  up  to  x  is  asymp¬ 
totic  to  ( 3/it2)x ,  this  shows  that  on  average,  h(D)  behaves  as  Cir/6y/\D\  « 
0.461559 -y^D[,  and  shows  that  the  upper  bound  given  for  h(D)  is  at  most  off 
by  a  factor  0(ln(D)). 

All  the  above  results  deal  with  the  size  of  h(D).  If  we  consider  problems 
concerning  its  arithmetic  properties  (for  example  divisibility  by  small  primes) 
or  properties  of  the  class  group  Cl(D)  itself,  very  little  is  known.  If  we  make 
however  the  heuristic  assumption  that  class  groups  behave  as  random  groups 
except  that  they  must  be  weighted  by  the  inverse  of  the  number  of  their 
automorphisms  (this  is  a  very  common  weighting  factor  in  mathematics),  then 
it  is  possible  to  make  precise  quantitative  predictions  about  class  numbers  and 
class  groups.  This  was  done  by  H.  W.  Lenstra  and  the  author  in  [Coh-Lenl]. 
We  summarize  here  some  of  the  conjectures  which  are  obtained  in  this  way 
and  which  are  well  supported  by  numerical  evidence. 

It  is  quite  clear  that  the  prime  2  behaves  in  a  special  way,  so  we  exclude  it 
from  the  class  group.  More  precisely,  we  will  denote  by  Cl0(D )  the  odd  part 
of  the  class  group,  i.e.  the  subgroup  of  elements  of  odd  order.  We  then  have 
the  following  conjectures. 


Conjecture  5.10.1  (Cohen-Lenstra) .  For  any  odd  prime  p  and  any  integer 
r  including  r=  oo  set  (p)r  =  rii<fc<r(^  —  P~k)>  ani ^  ^  A  =  rifc>2  C(^)  ~ 
2.29486,  where  ((s)  is  the  ordinary  Riemann  zeta  function. 

(1)  The  probability  that  Cl0(D)  is  cyclic  is  equal  to 

C(2)C(3)/(3(2)00AC(6))  «  0.977575. 


(2)  If  p  is  an  odd  prime ,  the  probability  that  p  |  h(D)  is  equal  to 


f(p)  =  1  -  ip)  oo  =  -  +  -4  “ 

p  pz 


For  example ,  /( 3)  «  0.43987,  /( 5)  «  0.23967,  /( 7)  «  0.16320. 

(3)  Ifp  is  an  odd  prime,  the  probability  that  the  p-Sylow  subgroup  ofCl(D)  is 
isomorphic  to  a  given  finite  Abelian  p- group  G  is  equal  to  (p)oo/|  Aut(G)|, 
where  Aut(G)  denotes  the  group  of  automorphisms  ofG. 

(4)  If  p  is  an  odd  prime,  the  probability  that  the  p-Sylow  subgroup  of  C  1(D) 
has  rank  r  (i.e.  is  isomorphic  to  a  product  of  r  cyclic  groups)  is  equal  to 

p-r\p)oo/((p)r)2. 


These  conjectures  explain  the  following  qualitative  observations  which 
were  made  by  studying  the  tables. 

(1)  The  odd  part  of  the  class  group  is  quite  rarely  non-cyclic.  In  fact,  it  was 
only  in  the  sixties  that  the  first  examples  of  class  groups  with  3-rank 
greater  or  equal  to  3  were  discovered. 
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(2)  Higher  ranks  are  even  more  difficult  to  find,  and  the  present  record  for 
p  =  3,  due  to  Quer  (see  [Llo-Quer]  and  [Quer])  is  3-rank  equal  to  6.  Note 
that  there  is  a  very  interesting  connection  with  elliptic  curves  of  high  rank 
over  Q  (see  Chapter  7),  and  Quer’s  construction  indeed  gives  curves  of 
rank  12. 

(3)  If  p  is  a  small  odd  prime,  the  probability  that  p  \  h(D )  is  substantially 
higher  than  the  expected  naive  value  1  /p.  Indeed,  it  should  be  very  close 
to  1/p  +  1/p2. 


5.10.2  Results  and  Heuristics  for  Real  Quadratic  Fields 

Because  of  the  presence  of  non- trivial  units,  the  situation  in  this  case  is  com¬ 
pletely  different  and  even  less  understood  than  the  imaginary  quadraticcase. 
Here  the  Brauer-Siegel  theorem  tells  us  that  In (R(D)h(D))  InWD)  as 

D  — >  oo,  where  R{D)  is  the  regulator.  Unfortunately,  we  have  little  control 
on  R{D ),  and  this  is  the  main  source  of  our  ignorance  about  real  quadratic 
fields.  It  is  conjectured  that  R(D )  is  “usually”  of  the  order  of  \[D,  hence  that 
h(D )  is  usually  very  small,  and  this  is  what  the  tables  show.  For  example, 
there  should  exist  an  infinite  number  of  D  such  that  h(D )  =  1 ,  but  this  is  not 
known  to  be  true  and  is  a  famous  conjecture.  In  fact,  it  is  not  even  known 
whether  there  exists  an  infinite  number  of  non-isomorphic  number  fields  K 
(all  degrees  taken  together)  with  class  number  equal  to  one. 

As  in  the  imaginary  case  however,  we  can  give  an  upper  bound  h(D)  <  \[T) 
when  D  >  0,  and  the  following  average  for  R(D)h(D): 

3/2 

£  R(D)h(D)  ~  ^-C 

D<x 

where  the  sum  runs  over  fundamental  discriminants  and  the  constant  C  is  as 
before. 

It  is  possible  to  generalize  the  heuristic  method  used  in  the  imaginary  case. 
In  fact,  we  could  reinterpret  Shanks’s  infrastructure  idea  as  saying  that  the 
class  group  of  a  real  quadratic  field  is  equal  to  the  quotient  of  the  “group”  of 
reduced  forms  by  the  “cyclic  subgroup”  formed  by  the  principal  cycle.  This  of 
course  does  not  make  any  direct  sense  since  the  reduced  forms  form  a  group 
only  in  an  approximate  sense,  and  similarly  for  the  principal  cycle.  It  suggests 
however  that  we  could  consider  the  (odd  part)  of  the  class  group  of  a  real 
quadratic  field  as  the  quotient  of  a  random  finite  Abelian  group  of  odd  order 
(weighted  as  before)  by  a  random  cyclic  subgroup.  This  indeed  works  out  very 
well  and  leads  to  the  following  conjectures. 

Conjecture  5.10.2  (Cohen-Lenstra).  Let  D  be  a  positive  fundamental  dis¬ 
criminant. 

(1)  If  p  is  an  odd  prime,  the  probability  that  p  \  h(D)  is  equal  to 
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1  (p)oo  1  .  1  |  1 _ 

1  —  1  fp  p 2  p3  p4 

(2)  The  probability  that  Cl0{D)  is  isomorphic  to  a  given  finite  Abelian  group 
G  of  odd  order  g  is  equal  to  m(G)  =  l/{2g{2)00A\  Aut(G)|).  For  example 
m({ 0})  «  0.75446,  m{ Z/3Z)  »  0.12574,  m(Z/5Z)  «  0.03772. 

(3)  J/p  is  an  odd  prime,  the  probability  that  the  p-Sylow  subgroup  of  C  1(D) 
has  rankr  is  equal  to  p~r^r+1\p)oc>/((p)r(p)r+ 1). 

(4)  We  have 

J2h(p)  ~  f  > 

p<x 

where  the  sum  runs  over  primes  congruent  to  1  modulo  4- 


These  conjectures  explain  in  particular  the  experimental  observation  that 
most  quadratic  fields  of  prime  discriminant  p  (in  fact  more  than  three  fourths) 
have  class  number  one. 

These  heuristic  conjectures  have  been  generalized  to  arbitrary  number 
fields  by  J.  Martinet  and  the  author  (see  [Coh-Marl],  [Coh-Mar2]).  Note  that 
contrary  to  what  was  claimed  in  these  papers,  apparently  all  the  primes  di¬ 
viding  the  degree  of  the  Galois  closure  should  be  considered  as  non-random 
(see  [Coh-Mar3]),  hence  the  numerical  values  given  in  [Coh-Marl]  should  be 
corrected  accordingly  (e.g.  by  removing  the  2-part  for  non-cyclic  cubic  fields 
or  the  3-part  for  quartic  fields  of  type  A4  or  S4). 


5.11  Exercises  for  Chapter  5 

1.  Show  that  the  number  of  imaginary  quadratic  fields  with  discriminant  D  such 
that  |D|  <  x  is  asymptotic  to  3x/tv2,  and  similarly  for  real  quadratic  fields. 

2.  Compute  the  probability  that  the  discriminant  of  a  quadratic  field  is  divisible 
by  a  given  prime  number  p  (beware:  the  result  is  not  what  you  may  expect). 

3.  Complete  Theorem  5.2.9  by  giving  explicitly  the  correspondences  between  ideal 
classes,  classes  of  quadratic  forms  and  classes  of  quadratic  numbers,  at  the  level 
of  PSL2(Z). 

4.  Let  K  be  a  quadratic  field  and  p  a  prime.  Generalizing  Theorem  1.4.1,  find  the 
structure  of  the  multiplicative  group  (Z/c/pZ /<•)*>  and  in  particular  compute  its 
cardinality. 

5.  (H.W.  Lenstra  and  D.  Knuth)  Let  D  denote  the  discriminant  of  an  imaginary 
quadratic  field.  If  x  >  0,  let  f(x,  D)  be  the  probability  that  a  quadratic  form 
(a,  b,  c )  with  —a  <  b  <  a  and  a  <  xyJ\D\  is  reduced.  From  Lemma  5.3.4,  we  know 
that  f(x,D)  =  1  if  x  <  1/2  and  f(x,D)  =  0  if  x  >  \j\f3.  Show  that  f(x,D ) 
has  a  limit  f(x)  as  \D\  — >  00,  and  give  a  closed  formula  for  /( x),  assuming  that 
a  quadratic  number  behaves  like  a  random  irrational  number.  Note  that  this 
exercise  is  difficult,  and  the  complete  result  without  the  randomness  assumption 
has  only  recently  been  proved  by  Duke  (see  [Duk]). 
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6.  If  Do  is  a  fundamental  negative  discriminant  and  D  =  Do  f2,  show  directly  from 
the  formula  given  in  the  text  that  h(Do )  |  h(D). 

7.  Let  p  be  a  prime  number  such  that  p  =  3  (mod  4).  Using  Dirichlet’s  class  number 
formula  (Corollary  5.3.13)  express  h(—p)  as  a  function  of 


1<7T<  (p—  l)/2  “  - 

Is  this  algorithmically  better  than  Dirichlet’s  formula? 

8.  Carry  out  in  detail  the  GCD  computations  of  the  proof  of  Lemma  5.4.5. 

9.  Show  that  the  composite  of  two  primitive  forms  is  primitive,  and  also  that 
primitivity  is  preserved  under  reduction  (both  for  complex  quadratic  fields  and 
real  ones).  Prove  these  results  first  using  the  interpretation  in  terms  of  ideals, 
then  directly  on  the  formulas. 

10.  Show  that,  in  order  to  generalize  Algorithm  5.4.7  to  imprimitive  forms,  we  can 
replace  the  assignment  vi  <—  a\/d\  of  Step  4  by  vi  +—  gcd(di,  ci,  C2,n)a\/d\. 

11.  Let  A,  B  and  C  be  integers,  and  assume  that  at  most  one  of  them  is  equal  to 
zero.  Show  that  the  general  integral  solution  to  the  equation 

uA  4-  vB  -|-  wC  =  0 

is  given  by 

B  C  C  .  A  A  B 

U~(A,B)V  (A, Cf'  V~  (B,C)X~jA^)V'  W-(A, cf  ( B,C ) 

where  A,  p  and  v  are  arbitrary  integers. 

12.  Using  the  preceding  exercise,  show  that  as  claimed  after  Definition  5.4.6  the 
class  of  (03,63,03)  modulo  Too  is  well  defined. 

13.  In  step  9  of  Algorithm  5.5.2,  it  is  suggested  to  compute  the  determinant  of 
the  lattice  generated  by  the  columns  of  a  rectangular  matrix  A\  of  full  rank  by 
computing  this  determinant  modulo  p  and  using  the  Chinese  remainder  theorem 
together  with  Hadamard’s  inequality.  Show  that  it  is  possible  to  modify  the 
Gauss-Bareiss  Algorithm  2.2.6  so  as  to  compute  this  determinant  directly,  and 
compare  the  efficiency  of  the  two  methods,  in  theory  as  well  as  in  practice  (in 
the  author’s  experience,  the  direct  method  is  usually  superior).  Hint:  use  flags 
Ck  and/or  dk  as  in  Algorithm  2.3.1. 

14.  Implement  the  large  prime  variation  explained  after  Algorithm  5.5.2  in  the  fol¬ 
lowing  manner.  Choose  some  integer  k  (say  k  =  500)  and  use  k  lists  of  quadratic 
forms  as  follows.  Each  time  that  some  pa  is  encountered,  we  store  pa  and  the 
corresponding  quadratic  form  in  the  n-th  list,  where  n=  pa  mod  k.  If  pa  is  al¬ 
ready  in  the  list,  we  have  a  relation,  otherwise  we  do  nothing  else.  Study  the 
efficiency  of  this  method  and  the  choice  of  k.  (Note:  this  method  is  a  special  case 
of  a  well  known  method  used  in  computer  science  called  hashing,  see  [Knu3].) 

15.  Implement  Atkin’s  variant  of  McCurley’s  algorithm  assuming  that  the  discrim¬ 
inant  D  is  a  prime  number  and  that  the  order  of  /  is  larger  than  the  bound 
given  by  the  Euler  product. 
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16.  Let  a  be  an  integral  ideal  in  a  number  field  K ,  ^(a)  the  smallest  positive  rational 
integer  belonging  to  a,  and  ai  the  embeddings  of  K  into  C.  We  will  say  that  a  is 
reduced  if  a  is  primitive  and  if  the  conditions  a  €  a  and  for  all  i,  |cTi(a)|  <  <(o) 
imply  that  a  =  0. 

a)  If  (a,  s)  =  <j>Fi(ci,b,c),  show  that  a  is  reduced  if  and  only  if  there  exists 
a  (unique)  quadratic  form  in  the  Too-class  of  (a,  6,  c)  which  is  reduced.  (Since 
the  cases  K  real  and  imaginary  must  be  treated  separately,  this  is  in  fact  two 
exercises  in  one.) 

b)  In  the  case  where  K  =  <Q>(\fD)  is  a  real  quadratic  field,  show  that  a  is 
reduced  if  and  only  if  there  exists  integers  ai  and  ai  such  that  ai  =  a2  =  b 
(mod  2a),  0  <  ai  <  \fD  and  —\fD  <  ai  <  0. 

c)  Let  a  be  an  ideal  in  the  number  field  K.  Show  that  there  exists  an  a  €  a 
such  that  \<7i(P)\  <  |ai(a)|  for  all  i  implies  that  /?  =  0.  By  considering  the  ideal 
(d/a) a  for  a  suitable  integer  d,  deduce  from  this  that,  as  in  the  quadratic  case, 
every  ideal  is  equivalent  to  a  (not  necessarily  unique)  reduced  ideal. 

17.  Show  that  in  any  cycle  of  reduced  quadratic  forms  of  discriminant  D  >  0,  there 
exists  a  form  (a,  6,  c)  with  |a|  <  \J D/5.  In  other  words,  show  that  in  any  ideal 

class  there  exists  an  ideal  a  such  that  A f(a)  <  -\jDf 5.  (Hint:  use  Theorem  454 
in  [H-W].) 

18.  Prove  Proposition  5.6.1. 

19.  Using  Definition  4.9.11  and  Proposition  5.1.4,  show  that  if  K  is  a  (real  or  imag¬ 
inary)  quadratic  field  of  discriminant  D  we  have  (k(s)  =  ((s)Ld(s),  and  hence 
that  Propositions  5.3.12  and  5.6.9  are  special  cases  of  Dedekind’s  Theorem 
4.9.12. 

20.  Modify  Algorithm  5.7.1  so  that  it  is  still  valid  for  a  <  0. 

21.  Prove  the  following  precise  form  of  Lemma  5.7.6.  If  p  and  q  are  coprime  integers, 
denote  by  p'  the  inverse  of  p  modulo  q  such  that  1  <  p'  <  q.  Let  a  be  a  real 
number.  Then  p/q  is  a  convergent  in  the  continued  fraction  expansion  of  a  if 
and  only  if 

1  pi 

- <  a  —  —  < - . 

q(q  +  pr)  q  q(2q  —  j/)‘ 

22.  Show  that  the  period  of  the  continued  fraction  expansion  of  the  quadratic  ir¬ 
rational  corresponding  to  the  inverse  of  a  reduced  quadratic  form  /  of  positive 
discriminant  is  the  reverse  of  the  period  of  the  quadratic  number  corresponding 
to  /.  Conclude  that  for  ambiguous  forms,  the  period  is  symmetric. 

23.  Write  an  algorithm  corresponding  to  Algorithm  5.7.2  as  Algorithm  5.7.10  corre¬ 
sponds  to  Algorithm  5.7.1  for  computing  the  regulator  of  a  real  quadratic  field 
using  the  symmetry  of  the  period  when  we  start  with  the  unit  form  instead  of 
any  reduced  form. 

24.  Assume  that  one  has  computed  the  regulator  of  a  real  quadratic  field  using  the 
method  explained  in  Section  5.9  to  a  given  precision  which  need  not  be  very 
high.  Show  that  one  can  then  compute  the  regulator  to  any  desired  accuracy  in 
a  small  extra  amount  of  time  (hint:  using  the  distance  function,  we  now  know 
where  to  look  in  the  cycle) . 

25.  Similarly  to  the  preceding  exercise,  show  that  one  can  also  compute  the  p-adic 
regulator  to  any  desired  accuracy  in  a  small  extra  amount  of  time. 
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26.  Let  D  be  a  fundamental  discriminant. 

a)  Show  that  h+(D)R+(D )  =  2 h(D)R(D)  and  that  R+(D )  =  2 R(D)  if  and 
only  if  the  fundamental  unit  is  of  norm  equal  to  —1. 

b)  What  modifications  can  be  made  to  Algorithm  5.9.2  so  that  it  computes 
the  regulator  and  the  class  number  in  the  narrow  sense? 

27.  Let  D  <  —  4  be  a  fundamental  discriminant,  and  set  f  —\D\. 

a)  Set  s(z)  =  ]^i<n<*  (^)-  Show  that  \s(x)\  <  ff 2  and  by  Abel  summation 

that  IE„>/  ®/nl  <  V2. 

b)  Show  that  h{D)  <  —  y/flnf. 

7T 

c)  Using  the  Polya-Vinogradov  inequality  (see  Exercise  8  of  Chapter  9),  give 
a  better  explicit  upper  bound  for  h(D ),  asymptotic  to  -—y/flnf. 

28.  (S.  Louboutin)  Using  again  the  function  s(x)  defined  in  Exercise  27  and  Abel 
summation,  show  that  we  can  avoid  the  computation  of  the  function  erfc(x) 
in  Proposition  5.3.14  using  the  fact  that  h(D )  is  an  integer  whose  parity  can 
be  computed  in  advance  (h(D)  is  odd  if  and  only  if  D  =  —4,  D  =  —  8  or 
D  =  —p  where  p  is  a  prime  congruent  to  3  modulo  4).  Apply  a  similar  method 
in  Proposition  5.6.11. 


Chapter  6 

Algorithms  for  Algebraic  Number  Theory  II 


We  now  leave  the  realm  of  quadratic  fields  where  the  main  computational 
tasks  of  algebraic  number  theory  mentioned  at  the  end  of  Chapter  4  were 
relatively  simple  (although  as  we  have  seen  many  conjectures  remain),  and 
move  on  to  general  number  fields. 

We  first  discuss  practical  algorithms  for  computing  an  integral  basis  and 
for  the  decomposition  of  primes  in  a  number  field  K ,  essentially  following  a  pa¬ 
per  of  Buchmann  and  Lenstra  [Buc-Len] ,  except  that  we  avoid  the  explicit  use 
of  Artinian  rings.  We  then  discuss  algorithms  for  computing  Galois  groups  (up 
to  degree  7,  but  see  also  Exercise  15).  As  examples  of  number  fields  of  higher 
degree  we  then  treat  cyclic  and  pure  cubic  fields.  Finally,  in  the  last  section 
of  this  chapter,  we  give  a  complete  algorithm  for  class  group  and  regulator 
computation  which  is  sufficient  for  dealing  with  fields  having  discriminants 
of  reasonable  size.  This  algorithm  also  gives  a  system  of  fundamental  units  if 
desired. 


6.1  Computing  the  Maximal  Order 

Let  K  =  Q[0]  be  a  number  field,  where  6  is  a  root  of  a  monic  polynomial 
T(X )  €  Z[X}.  Recall  that  Z k  has  been  defined  as  the  set  of  algebraic  integers 
belonging  to  K ,  and  that  it  is  called  the  maximal  order  since  it  is  an  order  in 
K  containing  every  order  of  K.  We  will  build  it  up  by  starting  from  a  known 
order  (in  fact  from  Z [0])  and  by  successively  enlarging  it. 

6.1.1  The  Pohst-Zassenhaus  Theorem 

The  main  tool  that  we  will  use  for  enlarging  an  order  is  the  Pohst-Zassenhaus 
Theorem  6.1.3  below.  We  first  need  a  few  basic  results  and  definitions. 

Definition  6.1.1.  Let  O  be  an  order  in  a  number  field  K  and  letp  be  a  prime 
number. 

(1)  We  will  say  that  O  is  p-maximal  if  [ZK  :  O)  is  not  divisible  by  p. 

(2)  We  define  the  p-radical  Ip  as  follows. 

Ip  =  {x  E  O  |  3m  >  1  such  that  xm  £  pO} 
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Proposition  6.1.2.  Let  O  be  an  order  in  a  number  field  K  and  let  p  be  a 
prime  number. 

(1)  The  p-radical  Ip  is  an  ideal  of  O. 

(2)  We  have 

Ip  =  fj  Pi 

l<i<9 

the  product  being  over  all  distinct  prime  ideals  p*  of  O  which  lie  above  p. 

(3)  There  exists  an  integer  m  such  that  I™  C  pO. 

Proof.  For  (1),  the  only  thing  which  is  not  completely  trivial  is  that  Ip  is  stable 
under  addition.  If  xm  E  pO  and  yn  e  pO ,  then  clearly  (x  +  y)n+m  E  pO  as  we 
see  by  using  the  binomial  theorem. 

For  (2)  note  that  since  p*  lies  above  p  then  pO  C  p*.  So,  if  x  E  Ip  there 
exists  an  m  such  that  xm  E  pO  C  pi,  and  hence  x  E  pi  by  definition  of  a  prime 
ideal.  By  Proposition  4.6.4  this  shows  that  x  E  fli<i<gPi  =  riiciCffP*  since 
the  distinct  maximal  ideals  pi  are  pairwise  coprime! 

Conversely,  assume  that  x  E  []i<i<g  Pi-  By  definition,  the  set  of  ideals  of 
O  containing  pO  is  in  canonical  one-to-one  correspondence  with  the  ideals  of 
the  finite  quotient  ring  R  =  O/pO.  We  will  use  this  at  length  later.  For  now, 
note  that  it  implies  that  this  set  is  finite,  and  in  particular  the  ideals  anR  are 
finite  in  number,  where  a  is  the  class  of  x  in  R.  In  particular,  there  exists  an  n 
such  that  anR  =  an+1R ,  i.e.  an(l  —  a(3)  =  0  for  some  (3  E  R.  By  assumption, 
a  belongs  to  all  the  maximal  ideals  pi  of  R  hence  (1  —  a(3)  cannot  belong  to 
any  of  them,  otherwise  1  would  also,  which  is  impossible.  It  follows  that  the 
ideal  (1  —  a(3)R ,  not  being  contained  in  any  maximal  ideal,  must  be  equal  to 
R,  i.e.  1  —  a/3  is  invertible  R.  The  equality  an(l  —  a(3)  =  0  thus  implies  that 
an  =  0  in  R,  i.e.  that  xn  E  pO  or  again  that  x  E  Ip  as  was  to  be  proved. 

Finally,  for  (3)  note  that  since  Ip  is  an  ideal  of  an  order  in  a  number  field 
it  has  a  finite  Z-basis  Xi  for  1  <  i  <  n.  For  each  there  exists  an  m;  such 
that  x 7*  E  pO ,  and  if  we  set  m  =  X)1<i<n  m i  it  is  clear  that  I™  C  pO,  using 
this  time  the  multinomial  theorem  instead  of  the  binomial  theorem.  □ 

The  procedure  that  we  will  use  to  obtain  the  maximal  order  is  to  start  with 
O  =  h[8]  and  enlarge  it  for  successive  primes  so  as  to  get  an  order  which  is 
p-maximal  for  every  p,  hence  which  will  be  the  maximal  order.  The  enlarging 
procedure  which  we  will  use,  due  to  Pohst  and  Zassenhaus,  is  based  on  the 
following  theorem. 

Theorem  6.1.3.  Let  O  be  an  order  in  a  number  field  K  and  let  p  be  a  prime 
number.  Set 

O'  =  {xe  K\xlp  c  Ip}. 

Then  either  O'  =  O,  in  which  case  O  is  p-maximal,  or  O'  Q  and  p  \  \Q'  : 

0\  |  pn. 
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Proof.  Since  Ip  is  an  ideal,  it  is  clear  that  O'  is  a  ring  containing  O.  Further¬ 
more,  since  p  £  Ip,  x  £  O'  implies  that  xp  £  Ip  C  O  and  hence  O  C  O'  C  ^O. 
This  shows  that  O'  has  maximal  rank,  i.e.  is  an  order  in  K ,  and  it  also  shows 
that  [O'  :  0)\pn. 

We  now  assume  that  O'  =  O.  Define 

Op  =  {x  £  ZK\3  j  >1,  p>x  £  O}. 

It  is  clear  that  O  C  Op  and  that  Op  is  an  order.  Furthermore,  Op  is  p-maximal. 
Indeed,  if  p  divides  the  index  \LK  :  Op ],  then  there  exists  x  £  Z k  such  that 
x  £  Op  but  px  £  Op.  The  definition  of  Op  shows  that  this  is  impossible. 

We  are  now  going  to  show  that  Op  =  O.  Since  Op  is  an  order,  it  is  finitely- 
generated  over  Z.  Hence  there  exists  an  r  >  1  such  that  prOp  C  O  (take  r  to 
be  the  maximum  of  the  j  such  that  pjXi  £  O  for  a  finite  generating  set  ( Xi ) 
of  Op).  Since  I™  C  pO  it  follows  that  OpI™r  C  O.  Assume  by  contradiction 
that  Op  ^  O,  hence  Op  <f_  O.  Let  n  be  the  largest  index  such  that  OpIp  <£.  O 
(hence  n  exists  and  0  <  n  <  mr ).  We  thus  also  have  OpI£+1  C  O.  Choose 
any  x  £  0PI£\0.  Then  xlp  C  O.  Since  OpI£+rn+1  C  J™  C  pO  it  follows  that 
if  y  £  Ip,  then  ( xy)n+m+1  £  pO  hence  that  xy  £  Ip ,  so  xlp  C  Ip  thus  showing 
that  x  £  O'.  This  is  a  contradiction  since  x  O  and  we  have  assumed  that 
O'  =  O.  This  finishes  the  proof  of  Theorem  6.1.3.  □ 

(I  thank  D.  Bernardi  for  the  final  part  of  the  proof.) 

6.1.2  The  Dedekind  Criterion 

From  the  Pohst-Zassenhaus  theorem,  starting  from  a  number  field  K  =  Q(0) 
defined  by  a  monic  polynomial  T  £  Z[X],  we  will  enlarge  the  order  Z[9\  for  ev¬ 
ery  prime  p  such  that  p2  divides  the  discriminant  of  T  until  we  obtain  an  order 
which  is  p-maximal  for  every  p,  i.e.  the  maximal  order.  In  practice  however, 
even  when  the  discriminant  has  square  factors,  Z[9)  is  quite  often  p-maximal 
for  a  number  of  primes  p,  and  it  is  time  consuming  to  have  to  compute  O'  as 
in  Theorem  6.1.3  just  to  notice  that  O'  =  Z[6],  i.e.  that  Z[9]  is  p-maximal. 
Fortunately,  there  is  a  simple  and  important  criterion  due  to  Dedekind  which 
allows  us  to  decide,  without  the  more  complicated  computations  explained 
in  the  next  section,  whether  Z[9]  is  p-maximal  or  not  for  prime  numbers  p, 
and  if  it  is  not,  it  will  give  us  a  larger  order,  which  of  course  may  still  not  be 
p-maximal. 

It  must  be  emphasized  that  this  will  work  only  for  Z[9\,  or  for  any  order 
O  containing  Z[9]  with  [O  :  Z[9]]  prime  to  p,  but  not  for  an  order  which  has 
already  been  enlarged  for  the  prime  p  itself. 

This  being  said  the  basic  theorem  that  we  will  prove,  of  which  Dedekind’s 
criterion  is  a  special  case,  is  as  follows. 

Theorem  6.1.4  (Dedekind).  Let  K  =  Q(0)  be  a  number  field,  T  £  Z[X ] 
the  monic  minimal  polynomial  of  6  and  let  p  be  a  prime  number.  Denote  by  ~ 
reduction  modulo  p  (in  Z,  Z[X]  or  Z\9\).  Let 
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k 

t(x) = 

i—  1 

be  the  factorization  ofT(X)  modulo  p  in  FP[X],  and  set 

k 

g(X)  =  Y[u(x) 

i=l 

where  the  ti  £  Z[X]  are  arbitrary  monic  lifts  ofti.  Then 

(1)  The  p-radical  Ip  ofZ[6]  at  p  is  given  by 

ip  =  pZ[e]  +  g(e)z[0\. 

In  other  words,  x  =  A(6)  £  Ip  if  and  only  ifg\A. 

(2)  Let  h(X)  £  Z[X]  be  a  monic  lift  ofT(X)/g(X)  and  set 

f(X)  =  (g(X)h(X)  —  T(X))/p  e  Z[X\. 

Then  Z[d\  is  p-maximal  if  and  only  if 

(f>9,h)  =  l  in¥p[X}. 

(3)  More  generally,  let  O'  be  the  order  given  by  Theorem  6.1.3  when  we  start 
with  O  =  Z[6\.  Then,  ifU  is  a  monic  lift  ofT/(f,g,h )  to  Z[X]  we  have 

O'  =  Z  [6\  +  -U(6)Z[6] 

P 

and  if  m  =  deg (f,g,~h),  then  [O’  :  Z[0]]  =  pm,  hence  disc(0/)  = 
disc(T)/p2m. 

Proof  of  (1).  p  £  Ip  trivially,  and  since  the  exponents  e*  are  at  most  equal 
to  n  =  [K  :  Q]  =  deg(T),  we  have  T  |  gn  hence  gn(6 )  =  0  (mod  pZj[d])  so 
g{6)  £  Ip,  thus  proving  that  Ip  D  pZ[d\  +  g(6)Z[9}. 

Now  the  minimal  polynomial  over  Fp  of  6  in  Z[6]fpZ[6]  (which  is jiot  a 
field  in  general)  is  clearly  the  polynomial  T.  Indeed,  it  clearly  divides  T,  but 
it  is  of  degree  at  least  n  since  1,  6,  . . .,  6n~l  are  Fp-linearly  independent. 

Conversely  let  x  £  Ip.  Then  x  =  A(6)  for  A  £  Z[X],  and  so  there  exists 
an  integer  m  such  that  xm  =  0  (mod  pZ[6)),  in  other  words  A  (6)  =  0_in 
Z[6]/pZ[0\.  Hence  T  |  A™.  Since  >  1  for  all  i,  this  implies  that  ti  \  A™ 
hence  ti  j  A  since  ti  is  irreducible  in  FP[X],  and  since  the  ti  are  pairwise 
coprime,  we  get  g  \  A  which  means  that  x  £  pZ[6\  + g(Q)Z[6]  thus  proving  (1). 

Since  T  is  the  minimal  polynomial  of  9  in  Z[6\/pZ[9\,  it  is  clear  that  (2) 
follows  from  (3). 
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Let  us  now  prove  (3).  Recall  that  O'  =  {x  €  K\xlp  C  Ip).  From  (1)  we 
have  that  x  £  O'  if  and  only  if  xp  £  Ip  and  xg(9)  £  Ip.  Since  Ip  C  Z[0], 
xp  £  Ip  implies  that 

x  =  Ai(6)/p 

where  A\  £  Z[X\.  Part  (3)  of  the  theorem  will  immediately  follow  from  the 
following  lemma. 

Lemma  6.1.5.  Let  x  =  Ai{9)/p  with  Ai  £  Z[X].  Then 

(1)  xp  £  Ip  if  and  only  if 

HIM. 

(2)  Let  k  =  g/(f,g),  where  (here  as  elsewhere  in  this  section)  k  is  implicitly 
considered  to  be  a  monic  lift  ofk  to  Z[X\.  Then  xg(6)  £  Ip  if  and  only  if 

hk  |  A\ . 


Proof  of  the  Lemma.  Part  (1)  of  the  lemma  is  an  immediate  consequence  of 
part  (1)  of  the  theorem.  Let  us  prove  part  (2). 

From  part  (1)  of  the  theorem,  xg(6)  £  Ip  if  and  only  if  there  exist  poly¬ 
nomials  A2  and  A3  in  Z[X ]  such  that 

M0)g(0)  =  P(pA2(e)  +  g(Q)A3(e)), 

and  since  T  is  the  minimal  polynomial  of  6 ,  this  is  true  if  and  only  if  there 
exists  A\  £  Z[X\  such  that 

At(X)g(X)  =  p2A2(X)  +  pg(X)A3(X )  +  A4(X)T(X). 

For  the  rest  of  this  proof,  we  will  work  only  with  polynomials  (in  Z[X]  or 
FP[J]),  and  not  any  more  in  K. 

Reducing  modulo  p,  the  above  equation  implies  that  A\  =  A4/1.  Hence 
write 

A\  —  hA±  +  pA& 

with  A5  £  Z[X\.  We  have  that  xg(9)  £  Ip  if  and  only  if  there  exist  polynomials 
Ai  £  Z[X]  such  that 


(gh  —  T)  A4  =  p2  A2  +  pg(As  —  A5), 
hence  if  and  only  if  there  exist  Ai  such  that 

/  A4  =  pA2  +  gAe . 

This  last  condition  is  equivalent  to  g  \  fA 4  so  to  k  |  A4  where  k  =  g/(f,g), 
and  this  is  equivalent  to  the  existence  of  A^  and  Ag  in  Z[X)  such  that  A4  = 
kAf  +  pA8. 
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To  sum  up,  we  see  that  if  x  =  A\ (9) / p ,  then  xg(9)  e  Ip  if  and  only  if  there 
exist  polynomials  A5,  A7  and  As  in  Z[X]  such  that 

Ai  =  hkAj  +  p{hAs  +  A5), 

and  this  is  true  if  and  only  if  there  exist  Ag  e  Z[X ]  such  that  A\  =  hkAj+pAg 
or  equivalently  hk  |  A\ ,  thus  proving  the  lemma.  □ 

We  can  now  prove  part  (3)  of  the  theorem.  Prom  the  lemma,  we  have  that 
x  =  Ai(6)/p  £  O'  if  and  only  if  both  g  and  hk  divide  A\  in  the  PID  FP[X], 
hence  if  and  only  if  the  least  common  multiple  of  g  and  hk  divides  A\.  Since 
in  any  PID,  lcm (x,y)  =  xy/(x,y)  and  lcm (zx,zy)  =  zlcm(x,y),  we  have 


lcm((7,  hk)  =  fclcm(gcd(/,  <7),  h) 


9  KL  9) 

{7,9)  (f,9,h) 


T 

0,1  h) 


=  U 


thus  proving  that  O'  =  Z[9]  4-  (U(9)  /p)Z[9].  Now  it  is  clear  that  a  system  of 
representatives  of  O'  modulo  Z{9]  is  given  by  A(9)U(9)/p  where  A  runs  over 
uniquely  chosen  representatives  in  Z[X]  of  polynomials  in  Fp[X]  such  that 
deg(A)  <  deg(T)  —  deg(U)  =  m ,  thus  finishing  the  proof  of  the  theorem.  □ 


An  important  remark  is  that  the  proof  of  this  theorem  is  local  at  p,  in 
other  words  we  can  copy  it  essentially  verbatim  if  we  everywhere  replace  Z[9] 
by  any  overorder  O  of  Z\9\  such  that  [O  :  Z[9}]  is  coprime  to  p.  The  final  result 
is  then  that  the  new  order  enlarged  at  p  is 


0  + 


m 

p 


O , 


and  [O'  :  O]  =  pm. 


6.1.3  Outline  of  the  Round  2  Algorithm 

From  the  Pohst-Zassenhaus  theorem  it  is  easy  to  obtain  an  algorithm  for 
computing  the  maximal  order.  We  will  of  course  use  the  Dedekind  criterion 
to  simplify  the  first  steps  for  every  prime  p. 

Let  K  =  Q(9)  be  a  number  field,  where  9  is  an  algebraic  integer.  Let 
T  be  the  minimal  polynomial  of  9.  We  can  write  disc(T)  =  df2,  where  d  is 
either  1  or  a  fundamental  discriminant.  If  Z k  is  the  maximal  order  which 
we  are  looking  for,  then  the  index  [Z k  '■  Z[9]\  has  only  primes  dividing  /  as 
prime  divisors  because  of  Proposition  4.4.4.  We  are  going  to  compute  Z k  by 
successive  enlargements  from  O  =  Z[9],  one  prime  dividing  /  at  a  time.  For 
every  p  dividing  /  we  proceed  as  follows.  By  using  Dedekind’s  criterion,  we 
check  whether  O  is  p-maximal  and  if  it  is  not  we  enlarge  it  once  using  Theorem 

6.1.4  (3)  applied  to  O.  If  the  new  discriminant  is  not  divisible  by  p2,  then  we 
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are  done,  otherwise  we  compute  O'  as  described  in  Theorem  6.1.3.  If  O'  =  O , 
then  O  is  p-maximal  and  we  are  finished  with  the  prime  p,  so  we  move  on  to 
the  next  prime,  if  any.  (Here  again  we  can  start  using  Dedekind’s  criterion.) 
Otherwise,  replace  O  by  O',  and  use  the  method  of  Theorem  6.1.3  again.  It 
is  clear  that  this  algorithm  is  valid  and  will  lead  quite  rapidly  to  the  maximal 
order.  This  algorithm  was  the  second  one  invented  by  Zassenhaus  for  maximal 
order  computations,  and  so  it  has  become  known  as  the  round  2  algorithm 
(the  latest  and  most  efficient  is  round  4). 

What  remains  is  to  explain  how  to  carry  out  explicitly  the  different  steps 
of  the  algorithm,  when  we  apply  Theorem  6.1.3. 

First,  6  is  fixed,  and  all  ideals  and  orders  will  be  represented  by  their 
upper  triangular  HNF  as  explained  in  Section  4.7.2.  We  must  explain  how  to 
compute  the  HNF  of  Ip  and  of  O'  in  terms  of  the  HNF  of  O.  It  is  simpler  to 
compute  in  R  =  O  fpO.  To  compute  the  radical  of  R,  we  note  the  following 
lemma: 


Lemma  6.1.6.  If  n  =  [K  :  <y>]  and  if  j  >  1  is  such  that  p?  >  n,  then  the 
radical  of  R  is  equal  to  the  kernel  of  the  map  x  i— ►  xp ° ,  which  is  the  jth  power 
of  the  Frobenius  homomorphism. 


Proof  It  is  clear  that  the  map  in  question  is  the  jth  power  of  the  Frobenius 
homomorphism,  hence  talking  about  its  kernel  makes  sense.  By  definition  of 
the  radical,  it  is  clear  that  this  kernel  is  contained  in  the  radical.  Conversely,  let 
x  be  in  the  radical.  Then  x  induces  a  nilpotent  map  defined  by  multiplication 
by  x  from  R  to  R,  and  considering  R  as  an  Fp-vector  space,  this  means  that 
the  eigenvalues  of  this  map  in  Fp  are  all  equal  to  0.  Hence,  its  characteristic 
polynomial  must  be  Xn  (since  n  =  dimFp  R),  and  by  the  Cayley-Hamilton 

theorem  this  shows  that  xn  =  0,  and  hence  that  xp3  =  0,  proving  the  lemma. 

□ 


Let  u)\,  . . .  ,  cOfi 
is  an  Fp-basis  of  R. 


be  the  HNF  basis  of  O.  Then  it  is  clear  that  oq,  . . .  ,  u>n 
For  k  —  1 , . . . ,  n,  we  compute  a* ^  such  that 


n 


u r 


=  £ 


the  left  hand  side  being  computed  as  a  polynomial  in  6  by  the  standard  rep¬ 
resentation  algorithms,  and  the  coefficients  a^k  being  easily  found  inductively 
since  an  HNF  matrix  is  triangular.  Hence,  if  A  is  the  matrix  of  the  a^k,  the 
radical  is  simply  the  kernel  of  this  matrix. 

Hence,  if  we  apply  Algorithm  2.3.1,  we  will  obtain  a  basis  of  Ip,  the  radical 
of  R,  in  terms  of  the  standard  representation.  Since  Ip  is  generated  by  pull¬ 
backs  of  a  basis  of  Ip  and  pu>i,  . . .  ,  to  obtain  the  HNF  of  Ip  we  apply 
the  HNF  reduction  algorithm  to  the  matrix  whose  columns  are  the  standard 
representations  of  these  elements. 
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Now  that  we  have  7P,  we  must  compute  O'.  For  this,  we  use  the  following 
lemma: 

Lemma  6.1.7.  With  the  notations  of  Theorem  6.1.3 ,  if  U  is  the  kernel  of 
the  map 

a  i — ►  (/ 3  i— >  afa) 

from  O  to  End( Jp/p/p),  then  O'  =  ^U. 

Proof.  Trivial  and  left  to  the  reader.  Note  that  End (7p/p7p)  is  considered  as 
a  Z-module.  □ 

Hence,  we  first  need  to  find  a  basis  of  Ip/plp.  There  are  two  methods  to 
do  this.  From  the  HNF  reduction  above,  we  know  a  basis  of  7P,  and  it  is  clear 
that  the  image  of  this  basis  in  Ip(plp  is  a  basis  of  Ip/plp.  The  other  method 
is  as  follows.  We  use  only  the  Fp-basis  (31,  . . .  ,  of  Ip  found  above.  Using 
Algorithm  2.3.6,  we  can  supplement  this  basis  into  a  basis  /3l5  ...  ,  fii,  (3l+ 1, 

. . .  ,  (3n  of  O/pO,  and  then  fa fa,  pfa+i,  . . .  ,  p/3n  will  be  an  Fp-basis  of 
Ip/plp,  where  ~  denotes  reduction  modulo  plp,  and  fa  denotes  any  pull-back 
of  (3i  in  O.  (Note  that  the  basis  which  one  obtains  depends  on  the  pull-backs 
used.) 

This  method  for  finding  a  basis  of  Ip/plp  has  the  advantage  of  staying  at 
the  mod  p  level,  hence  avoids  the  time  consuming  Hermite  reduction,  so  it  is 
preferable. 

Now  that  we  have  a  basis  of  Ip/plp,  the  elementary  matrices  give  us  a 
basis  of  End(7p/p7p).  Hence,  we  obtain  explicitly  the  matrix  of  the  map  whose 
kernel  is  U,  and  it  is  a  n2  x  n  matrix.  Algorithm  2.3.1  makes  sense  only  over 
a  field,  so  we  must  first  compute  the  kernel  U  of  the  map  from  O/pO  into 
End(7p/p7p)  which  can  be  done  using  Algorithm  2.3.1.  If  v\,  . . .  ,  Vk  is  the 
basis  of  this  kernel,  to  obtain  U,  we  apply  Hermite  reduction  to  the  matrix 
whose  column  vectors  are  vi,  ...  ,  Vk ,  poJ i,  . . .  ,  pun •  In  fact,  we  can  apply 
Hermite  reduction  modulo  the  prime  p,  i.e.  take  D  —  p  in  Algorithm  2.4.8. 

Finally,  note  that  to  obtain  the  n2xn  matrix  above,  if  the  7 1  form  a  basis 
of  7p/p7p  one  computes 


wfc7t=  ak,i,jTj, 

l<j<n 


and  k  is  the  column  number,  while  (i,  j)  is  the  row  index.  Unfortunately,  in 
the  round  2  algorithm,  it  seems  unavoidable  to  use  such  large  matrices.  Note 
that  to  obtain  the  the  work  is  much  simpler  if  the  matrix  of  the  7 j 

is  triangular,  and  this  is  not  the  case  in  general  if  we  complete  the  basis  as 
explained  above.  On  the  other  hand,  this  would  be  the  case  if  we  used  the  first 
method  consisting  of  applying  Hermite  reduction  to  get  the  HNF  of  Ip  itself. 
Tests  must  be  made  to  see  which  method  is  preferable  in  practice. 
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6.1.4  Detailed  Description  of  the  Round  2  Algorithm 

Using  what  we  have  explained,  we  can  now  give  in  complete  detail  the  round 
2  algorithm. 

Algorithm  6.1.8  (Zassenhaus’s  Round  2).  Let  K  =  Q(0)  be  a  number  field 
given  by  an  algebraic  integer  0  as  root  of  its  minimal  monic  polynomial  T  of 

degree  n.  This  algorithm  computes  an  integral  basis  ui  —  1,  u>2 . wn  of 

the  maximal  order  Z/c  (as  polynomials  in  6)  and  the  discriminant  of  the  field. 
All  the  computations  in  K  are  implicitly  assumed  to  be  done  using  the  standard 
representation  of  numbers  as  polynomials  in  8. 

1.  [Factor  discriminant  of  polynomial]  Using  Algorithm  3.3.7,  compute  D  <— 
disc(T).  Then  using  a  factoring  algorithm  (see  Chapters  8  to  10)  factor  D 
in  the  form  D  =  DqF2  where  Do  is  either  equal  to  1  or  to  a  fundamental 
discriminant. 

2.  [Initialize]  For  i  =  1, . . .  ,n  set  cu*  <—  8l~l . 

3.  [Loop  on  factors  of  F]  If  F  =  1,  output  the  integral  basis  Ui  (which  will  be 
in  HNF  with  respect  to  8),  compute  the  product  G  of  the  diagonal  elements 
of  the  matrix  of  the  cu*  (which  will  be  the  inverse  of  an  integer  by  Corollary 
4.7.6),  set  d  <r-  D  •  G 2,  output  the  field  discriminant  d  and  terminate  the 
algorithm.  Otherwise,  let  p  be  the  smallest  prime  factor  of  F. 

4.  [Factor  modulo  Using_the  mod  p  factoring  algorithms  of  Section  3.4,  factor 

T  modulo  p  as  T  =  where  the  U  are  distinct  irreducible  polynomials 

in  Fp[X]_and  e*_>  0_for  all  i.  Set  g  <—  Y\U,  h  <—  T/g,  f  <—  ( gh  —  T)/p, 
Z  *—  {f  ,g,h),  U  <—  T/Z  and  m  <—  deg(Z). 

5.  [Apply  Dedekind]  If  m  =  0,  then  G  is  p-maximal  so  while  p  \  F  set  F  <—  F/p, 
then  go  to  step  3.  Otherwise,  for  1  <  i  <  m,  let  Vi  be  the  column  vector 

of  the  components  of  c OiU(8)  on  the  standard  basis  1 ,6 . 8n~l  and  set 

Vm+j  =  puj  for  1  <  j  <  n. 

Apply  the  Hermite  reduction  Algorithm  2.4.8  to  the  n  x  (n  +  m)  matrix 
whose  column  vectors  are  the  U*.  (Note  that  the  determinant  of  the  final 
matrix  is  known  to  divide  D.)  If  H  is  the  n  x  n  HNF  reduced  matrix  which 
we  obtain,  set  for  1  <  i  <  n,  tu*  +—  Hi/p  where  Hi  is  the  i-th  column  of  H. 

6.  [Is  the  new  order  p-maximal?]  If  pm+1  \  F,  then  the  new  order  is  p-maximal 
so  while  p  |  F  set  F  <—  F/p,  then  go  to  step  3. 

7.  [Compute  radical]  Set  q  <—  p,  and  while  q  <  n  set  q  <—  qp.  Then  compute  the 

n  x  n  matrix  A  =  (a^)  over  Fp  such  that  u>j  =  5Zi<i<«  ^ote 

the  matrix  of  the  oJi  will  stay  triangular,  so  the  are  easy  to  compute. 

Finally,  using  Algorithm  2.3.1,  compute  a  basis  Pi,  .  • .  ,  (3i  of  the  kernel 
of  the  matrix  A  over  Fp  (this  will  be  a  basis  of  Ip/pO). 

8.  [Compute  new  basis  mod  p\  Using  the  known  basis  tui . ujn  of  G/pO, 

supplement  the  linearly  independent  vectors  0i,  . . .  ,  (3i  to  a  basis  (3i ,  . . .  , 
/ 3n  of  G/pG  using  Algorithm  2.3.6. 
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9.  [Compute  big  matrix]  Set  a i_<—  Pi  for  1  <  i  <  l,  a*  pPi  for  l  <  i  <  n, 

where  Pi  is  a  lift  to  O  of  Pi.  Compute  coefficients  Cijtk  G  Fp  such  that 
u>k -aj  =  Xli<t<n  ci,j,kai  (mod  p ).  Let  C  be  the  n2  x  n  matrix  over  Fp  such 
that  =  ci,j,k • 

10.  [Compute  new  order]  Using  Algorithm  2.3.1,  compute  a  basis  71,  ...  7 m  for 
the  kernel  of  C  (these  are  vectors  in  Fp,  and  m  can  be  as  large  as  n2).  For 
1  <  i  <  m  let  Vi  be  a  lift  of  7 i  to  Zn,  and  set  vm+j  =  pcjj  for  1  <  j  <  n. 
Apply  the  Hermite  reduction  Algorithm  2.4.8  to  the  nx  (n  +  m)  matrix  whose 
column  vectors  are  the  i>*.  (Note  again  that  the  determinant  of  the  final  matrix 
is  known  to  divide  D .)  If  H  is  the  nx  n  HNF  reduced  matrix  which  we  obtain, 
set  for  1  <  i  <  n,  cu-  *—  Hi/p  where  Hi  is  the  i-th  column  of  H. 

11.  [Finished  with  pi]  If  there  exists  an  i  such  that  u;-  ^  u>i,  then  for  every  i  such 
that  1  <  i  <  n  set  u>i  uj ■  and  go  to  step  7.  Otherwise,  O  is  p-maximal,  so 
while  p  |  F  set  F  *—  F/p,  and  go  to  step  3. 

This  finishes  our  description  of  the  round  2  algorithm.  This  algorithm 
seems  complicated  at  first.  Although  it  has  been  superseded  by  the  round  4 
algorithm,  it  is  much  simpler  to  implement  and  it  performs  very  well.  The 
major  bottleneck  is  perhaps  not  where  the  reader  expects  it  to  be,  i.e.  in  the 
handling  of  large  matrices.  It  is,  in  fact,  in  the  very  first  step  which  consists 
in  factoring  disc(T)  in  the  form  DoF2.  Indeed,  as  we  will  see  in  Chapter 
10,  factoring  an  80  digit  number  takes  a  considerable  amount  of  time,  and 
factoring  a  50  digit  one  is  already  not  that  easy.  One  can  refine  the  methods 
given  above  to  the  case  where  one  does  not  suppose  p  to  be  necessarily  prime 
(see  [Buc-Len]  and  [Buc-Len2]),  but  unfortunately  this  does  not  avoid  finding 
the  largest  square  dividing  disc(T),  which  is  apparently  almost  as  difficult  as 
factoring  it  completely. 


6.2  Decomposition  of  Prime  Numbers  II 

As  we  shall  see,  the  general  problem  of  decomposing  prime  numbers  in  an 
algebraic  number  field  is  closely  related  to  the  problem  of  computing  the 
maximal  order.  Consequently,  we  have  already  given  most  of  the  theory  and 
auxiliary  algorithms  that  we  will  need.  As  we  have  already  seen,  the  problem 
is  as  follows.  Given  a  prime  p  and  a  p-maximal  order  O,  for  example  the 
maximal  order  Z#  itself,  determine  the  maximal  ideals  pi  and  the  exponents 
ei  such  that 

pO  =  f[p‘\ 

i—l 

As  usual  O  will  be  given  by  its  HNF  on  a  power  basis  1,  0,  . . .  ,  0n_1,  and  we 
want  the  HNF  basis  of  the  pi.  The  determinant  of  the  corresponding  matrix 
is  equal  to  J\f{pi)  =  pfi  in  the  traditional  notation.  For  practical  applications, 
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it  will  also  be  useful  to  have  a  two-element  representation  of  the  ideals  pi  (see 
Proposition  4.7.7). 

In  Theorem  4.8.13  we  saw  how  to  obtain  this  decomposition  when  p  does 
not  divide  the  index  [O  :  Z[0]].  Hence  we  will  concentrate  on  the  case  where 
p  divides  the  index. 


6.2.1  Newton  .Polygons 

Historically  the  first  method  to  deal  with  this  problem  is  the  so-called  Newton 
polygon  method.  When  it  applies,  it  is  very  easy  to  use,  but  it  must  be  stressed 
that  it  is  not  a  general  method.  We  will  give  a  completely  general  method  in 
the  next  section. 

I  am  grateful  to  F.  Diaz  y  Diaz  and  M.  Olivier  for  the  presentation  of 
Newton  polygons  given  here,  which  follows  [Ore]  and  [Mon-Nar].  Essentially 
no  proofs  are  given. 

We  may  assume  without  loss  of  generality  that  the  minimal  polynomial 
T(X)  of  6  is  in  Z[X]  and  is  monic. 

The  first  result  tells  us  what  survives  of  Theorem  4.8.13  in  the  case  where 
p  divides  the  index. 

Proposition  6.2.1.  Let 

T(X)  =  n5^X)ei  (mod  p) 
i= 1 

be  the  decomposition  ofT  into  irreducible  factors  in  Fp  [X],  where  the  Ti  are 
taken  to  be  arbitrary  monic  lifts  ofTi(X)  in  Z[X].  Then 

g 

V^K  =  H  ai  > 
i= 1 


where 

»i  =  {p,T?(0))=pZk  +  T?(6)Zk 

and  the  a i  are  pairwise  coprime  (i.e.  a*  -I-  a j  =  Z k  for  i  ^  j).  Furthermore,  if 
ni  is  the  degree  ofTi  we  have  =peiTli)  and  all  prime  ideals  dividing  a* 

are  of  residual  degree  divisible  by  n*. 

Proof.  The  proof  follows  essentially  the  same  lines  as  that  of  Theorem  4.8.13. 
It  is  useful  to  also  prove  that  the  inverse  of  a*  is  given  explicitly  as 

a.-1  =  (l.IDfW/p) 


(see  Exercise  5). 


□ 
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The  problem  is  that  the  ideals  a*  are  not  necessarily  of  the  form  as 
in  Theorem  4.8.13  (the  reader  can  also  check  via  examples  that  it  would  not 
do  any  good  to  set  pi  =  (p,  Ti(6))).  We  must  therefore  try  to  split  the  ideals 
<\i  some  more.  For  this  we  can  proceed  as  follows.  By  successive  Euclidean 
divisions  of  T  by  Tj,  we  can  write  T  in  a  unique  way  in  the  form 

\n/rii\ 

t(x)=  y, 

3= 0 

with  deg(Qij)  <  n^.  We  will  call  this  the  Ti-expansion  of  T.  We  will  write 
di  =  \n/rii\ . 

If  Q=  Y^o<k<m  akxk  e  Z[X],  we  will  set 

vp(Q)  =  min  {vp(ak)), 

k 

where  we  set  vp(0)  =  +oo  (or  in  other  words  we  ignore  coefficients  equal  to 
zero).  The  basic  definition  is  as  follows. 

Definition  6.2.2.  With  the  above  notations,  for  a  fixed  i,  the  convex  hull  of 
the  set  of  points  (j,  vP{Qi,di-j))  for  each  j  such  that  Qi,di-j  7^  0,  called  the 
Newton  polygon  ofT  relative  to  Ti  and  the  prime  number  p  ( since  p  is  always 
fixed,  we  will  in  fact  simply  say  “ relative  to  Ti  ”). 

Note  that  Qij  —  0  for  j  <0  or  j  >  di,  hence  the  Newton  polygon  is 
bounded  laterally  by  two  infinite  vertical  half  lines.  Furthermore,  since  T  and 
the  Ti  are  monic,  so  is  Qifdi  hence  vp(Qiydi )  =  0.  It  follows  that  the  first  vertex 
of  the  Newton  polygon  is  the  origin  (0,0).  Let  a  be  the  largest  real  number 
(which  is  of  course  an  integer)  such  that  (a,  0)  is  still  on  the  Newton  polygon 
(we  may  have  a  =  0  or  a  =  di).  The  part  of  the  Newton  polygon  from  the 
origin  to  (a,  0)  is  either  empty  (if  a  =  0)  or  is  a  horizontal  segment.  The  rest 
of  the  Newton  polygon,  i.e.  the  points  whose  abscissa  is  greater  than  or  equal 
to  a,  is  called  the  principal  part  of  the  Newton  polygon,  and  (a,  0)  is  its  first 
vertex. 

We  assume  now  that  i  is  fixed. 

Let  Vj  for  0  <  j  <  r  be  the  vertices  of  the  principal  part  of  the  Newton 
polygon  of  T  relative  to  Ti  (in  the  strict  sense:  if  a  point  on  the  convex  hull 
lies  on  the  segment  joining  two  other  points,  it  is  not  a  vertex),  and  set  Vj  = 
( Xj,yj ).  The  sides  of  the  polygon  are  the  segments  joining  two  consecutive 
vertices  (not  counting  the  infinite  vertical  lines),  and  the  slopes  are  the  slopes 
of  these  sides,  i.e.  the  positive  rational  numbers  (yj  —  Vj-i)/ {xj  —  ^-1)  for 
1  <  j  <  r  (note  that  they  cannot  be  equal  to  zero  since  we  are  in  the  principal 
part). 

The  second  result  gives  us  a  more  precise  decomposition  of  pZx  than  the 
one  given  by  Proposition  6.2.1  above,  whose  notations  we  keep.  We  refer  to 
[Ore]  for  a  proof. 
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Proposition  6.2.3.  Let  i  be  fixed. 

(1)  To  each  side  \Vj-i,  Vj]  of  the  principal  part  of  the  Newton  polygon  of  T 
relative  to  Ti  we  can  associate  an  ideal  q jj  such  that  the  q ij  are  pairwise 
coprime  and 

r 

ai=n^ 

3  =  1 

(2)  Set  hj  =  yj  —  pj-i  and  kj  =  xj  —Xj-\.  If  hj  and  kj  are  coprime  for  some 
j,  then  the  corresponding  ideal  q itj  is  of  the  form  q jj  =  pkj  where  p  is  a 
prime  ideal  of  degree  ni. 

(3)  In  the  special  case  when  the  principal  part  of  the  Newton  polygon  has  a 
single  side  and  h\  =  y1  —  y0  =  y1  is  equal  to  1 ,  then  a*  =  pei  where 
p  =  ( p,Ti{6 ))  is  a  prime  ideal  of  degree  n^. 


Corollary  6.2.4.  Let  T  €  Z[X]  be  an  Eisenstein  polynomial  with  respect  to 
a  prime  number  p,  i.e.  a  monic  polynomial  T(X)  —  0aiXl  with  p  |  a* 
for  all  i  <  n  and  p2  \  ao  (see  Exercise  11  of  Chapter  3).  In  the  number  field 
K  =  Q[6]  defined  by  T  the  prime  p  is  totally  ramified,  and  more  precisely 
phK  =  Pn  with  p  =  (p,  6) . 

Proof  In  this  case  we  have  T  =  Xn  (mod  p),  hence  T\{X)  =  X,  Qitj  =  aj , 
and  since  p  |  for  all  i  <  n,  the  principal  part  of  the  Newton  polygon  is 
the  whole  polygon,  and  since  p2  \  ao  we  are  in  the  special  case  (3)  of  the 
proposition,  so  the  corollary  follows.  □ 

Although  Proposition  6.2.3  gives  results  in  a  number  of  cases,  and  can  be 
generalized  further  (see  [Ore]  and  [Mon-Nar]),  it  is  far  from  being  satisfactory 
from  an  algorithmic  point  of  view. 


6.2.2  Theoretical  Description  of  the  Buchmann-Lenstra  Method 

The  second  method  for  decomposing  primes  in  number  fields,  which  is  com¬ 
pletely  general,  is  due  to  Buchmann  and  Lenstra  ([Buc-Len]).  We  proceed  as 
follows.  (The  reader  should  compare  this  to  the  method  used  for  factoring 
polynomials  modulo  p  given  in  Chapter  3.)  Write  Ip  for  the  p-radical  of  O. 
We  know  that  Ip  =  Pi-  Set  for  any  j  >  0: 

Kj  =  IJp+pO. 

It  is  clear  that  the  valuation  at  p*  of  Kj  is  equal  to  min(ei,j),  hence 

^  =  nprMei'j). 

2=1 

It  is  also  clear  that  Kj  c  Kj-i.  Hence,  if  we  set 
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Jj  =  K^Kj- 1)-1, 

then  Jj  is  an  integral  ideal,  and  in  fact  Jj  =  nei>j  Pi  so  in  particular  Jj  C 
Jj+i-  Finally,  if  we  define 


Hj  =  1)-1, 

we  have 

^=np4 

ei=j 

This  exactly  corresponds  to  the  squarefree  decomposition  procedure  of  Sec¬ 
tion  3.4.2,  the  Hi  playing  the  role  of  the  Ai,  and  without  the  inseparability 
problems.  In  other  words,  if  we  set  e  =  maxi(ei),  we  have 


pO=f[H>, 

3=  1 

and  the  Hj  are  pairwise  coprime  and  are  products  of  distinct  maximal  ideals. 
To  find  the  splitting  of  pO,  it  is  of  course  sufficient  to  find  the  splitting  of  each 
Hj. 

Now,  since  Hj  is  a  product  of  distinct  maximal  ideals,  i.e.  is  squarefree,  the 
Fp- algebra  O/Hj  is  separable.  Therefore,  by  the  primitive  element  theorem 
there  exists  aj  G  O/Hj  such  that  O/Hj  =  Fp  [aj].  Let  hj  be  the  characteristic 
polynomial  of  aj  over  Fp,  and  hj  be  any  pullback  in  Z[X].  Then  exactly  the 
same  proof  as  in  Section  4.8.2  shows  that,  if 


9j 

k3  (x) = n  qi’j w  (m°d  p) 

i  =  1 

is  the  decomposition  modulo  p  of  the  polynomial  hj ,  then  the  ideals 

Qiyj  =  Hj  +  Qi,j{aj)0 


are  maximal  and  that 


9j 


Hj  JJ  9 i,j 

i= 1 


is  the  desired  decomposition  of  Hj  into  a  product  of  prime  ideals. 

We  must  now  give  algorithms  for  all  the  steps  described  above.  Essentially, 
the  two  new  things  that  we  need  are  operations  on  ideals  in  our  special  case, 
and  splitting  of  a  separable  algebra  over  Fp. 
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6.2.3  Multiplying  and  Dividing  Ideals  Modulo  p 

Although  the  most  delicate  step  in  the  decomposition  of  pZk  is  the  final 
splitting  of  the  ideals  Hj ,  experiment  (and  complexity  analysis)  shows  that  this 
is  paradoxically  the  fastest  part.  The  conceptually  easier  steps  of  multiplying 
and  dividing  ideals  take,  in  fact,  most  of  the  time  and  so  must  be  speeded  up 
as  much  as  possible. 

Looking  at  what  is  needed,  it  is  clear  that  we  use  only  the  reductions 
modulo  pO  of  the  ideals  involved.  Hence,  although  for  ease  of  presentation  we 
have  implicitly  assumed  that  the  ideals  are  represented  by  their  HNF,  we  will 
in  fact  consider  only  ideals  1/pO  of  O/pO  which  will  be  represented  by  an  Fp- 
basis.  All  the  difficulties  of  HNF  (Euclidean  algorithm,  coefficient  explosion) 
disappear  and  are  replaced  by  simple  linear  algebra  algorithms.  Moreover,  we 
are  working  with  coefficients  in  a  field  which  is  usually  of  small  cardinality. 
(Recall  that  p  divides  the  index,  otherwise  the  much  simpler  algorithm  of 
Section  4.8.2  can  be  used.) 

If  I  is  given  by  its  HNF  with  respect  to  6  (this  will  not  happen  in  our 
case  since  we  start  working  directly  modulo  p),  then,  since  I  D  pO  D  pZ[Q], 
the  diagonal  elements  of  the  HNF  will  be  equal  to  1  or  p.  Therefore,  to  find 
a  basis  of  /,  we  simply  take  the  basis  elements  corresponding  to  the  columns 
whose  diagonal  element  is  equal  to  1. 

The  algorithm  for  multiplication  is  straightforward. 

Algorithm  6.2.5  (Ideal  Multiplication  Modulo  pO).  Given  two  ideals  I fpO 
and  J/pO  by  Fp-bases  (aj)i<i<r  and  ( Pj)i<j<m  respectively,  where  the  a*  and 
(3j  are  expressed  as  Fp-linear  combinations  of  a  fixed  integral  basis  cui,  . . un  of 
O,  this  algorithm  computes  an  Fp-basis  of  the  ideal  IJ/pO. 

1.  [Compute  matrix]  Using  the  multiplication  table  of  the  u>i,  let  M  be  the  n  x  rm 
matrix  M  with  coefficients  in  Fp  whose  columns  express  the  products  ctiPj  on 
the  integral  basis. 

2.  [Compute  image]  Using  Algorithm  2.3.2  compute  a  matrix  M\  whose  columns 
form  an  Fp-basis  of  the  image  of  M.  Output  the  columns  of  M\  and  terminate 
the  algorithm. 

Ideal  division  modulo  pO  is  slightly  more  difficult.  We  first  need  a  lemma. 

Lemma  6.2.6.  Denote  by  ~  reduction  mod  p.  Let  I  and  J  two  integral  ideals 
of  O  containing  pO  and  assume  that  I  C  J.  Then,  as  a  Z/pZ-vector  space, 
IJ~l  is  equal  to  the  kernel  of  the  map  (j>  from  OjpO  to  End(J/7)  given  by 

<t>{P)  =  {a  i — ►  aP)  . 


Indeed,  4>(P)  is  equal  to  0  if  and  only  if  aP  €  I  for  every  a  €  J,  i.e. 
PJ  C  I,  or  in  other  words  if  p  €  IJ~l ,  proving  the  lemma. 


if 

□ 
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This  leads  to  the  following  algorithm. 

Algorithm  6.2.7  (Ideal  Division  Modulo  pO).  Given  two  ideals  I/pO  and 
J/pO  by  Fp  bases  (o:i)i<i<r  and  ( Pj)i<j<m  respectively,  where  the  ai  and  (3j 
are  expressed  as  Fp-linear  combinations  of  a  fixed  integral  basis  . . .  ,un  of  O, 
this  algorithm  computes  an  Fp-basis  of  the  ideal  IJ~1/pO  assuming  that  I  C  J. 

1.  [Find  basis  of  J/I]  Apply  Algorithm  2.3.7  to  the  subspaces  I /pO  and  J fpO 
of  Fp,  thus  obtaining  a  basis  ( lj)i<j<m-r  of  a  supplement  of  I /pO  in  J/pO. 

2.  [Setup  ideal  division]  By  using  the  multiplication  table  of  the  u>i  and  Algorithm 
2.3.5,  compute  elements  and  b^j^  in  Fp  such  that 

<^kli  =  'y  ^  ai,j,klj  4-  'y  ^  bi%jtkOLj , 

3  3 

and  let  M  be  the  (m -rfxn  matrix  formed  by  the  for  1  <  i,  j  <m  —  r 
and  1  <  k  <  n  (we  can  forget  the  hj^)- 

3.  [Compute  IJ~1/pO]  Using  Algorithm  2.3.1,  compute  a  matrix  Mi  whose 
columns  form  an  Fp-basis  of  the  kernel  of  M,  output  Mi  and  terminate  the 
Algorithm. 

Indeed,  M  is  clearly  equal  to  the  matrix  of  (j>  in  the  standard  basis  of 
End(J/J).  □ 


6.2.4  Splitting  of  Separable  Algebras  over  Fp 

To  avoid  unnecessary  indices,  we  set  simply  H  =  Hj.  Using  the  above  algo¬ 
rithms,  it  is  straightforward  to  compute  an  Fp-basis  ,(3m  of  H  =  H/pO. 

Using  Algorithm  2.3.6,  we  can  supplement  this  basis  to  a  basis  (3 ...  ,/?n  of 
O /pO  It  is  then  clear  that  the  images  of  pm+  i,  •  •  •  ,/5n  in  O/H  form  an  Fp- 
basis  of  O/H. 

In  order  to  finish  the  decomposition,  there  remains  the  problem  of  splitting 
the  separable  algebra  A  =  O/H  given  by  this  Fp-basis.  As  explained  above, 
one  method  is  to  start  by  finding  a  primitive  element  a.  Finding  a  primitive 
element  is  not,  however,  a  completely  trivial  task.  Perhaps  the  best  way  is  to 
choose  at  random  an  element  x  £  A\FP  (note  that  Fp  can  be  considered  natu¬ 
rally  embedded  in  A),  compute  its  minimal  polynomial  P{X)  over  Fp  (which 
need  not  be  irreducible),  and  check  whether  deg(P)  =  dim(A).  Although  prac¬ 
tical,  this  method  has  the  disadvantage  of  being  completely  non-deterministic, 
although  it  is  easy  to  give  estimates  for  the  number  of  trials  that  one  has  to 
perform  before  succeeding  in  finding  a  suitable  x,  see  Exercise  6. 

We  give  another  method  which  does  not  have  this  disadvantage.  It  is  based 
on  the  following  proposition. 
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Proposition  6.2.8.  Let  A  be  a  finite  separable  algebra  over  Fp.  There  exists 
an  efficient  probabilistic  algorithm  which  either  shows  that  A  is  a  field,  or  finds 
a  non-trivial  idempotent  in  A,  i.e.  an  element  e  G  A  such  that  e2  =  £  with 
e  ^  0  and  e  ^  1 . 

Proof.  Since  A  is  a  finite  separable  algebra,  A  is  isomorphic  to  a  finite  product 
of  fields,  say  A  ~  Ai  x  •  •  •  x  Ak.  Write  any  element  a  of  A  as  (a-i, . . .  ,<**) 
where  a*  G  Ai.  Consider  the  map  <j)  from  A  to  A  defined  by  4>{x)  —  xp  —  x. 
It  is  clear  that  Fp,  considered  as  embedded  in  A,  is  in  the  kernel  V  of  <j).  By 
Algorithm  2.3.1,  we  can  easily  compute  a  basis  for  V,  and,  in  particular,  its 
dimension.  Note  that  a  =  (ai, . . . , a^)  G  V  if  and  only  if  for  all  i  such  that 
1  <  i  <  fc,  a,  6  Fp  where  Fp  is  considered  embedded  in  A*.  It  follows  that 
dim(V)  =  k,  and  hence  dim(U)  =  1  if  and  only  if  A  is  a  field. 

Therefore  assume  that  dim(V)  >  1,  and  let  a  G  V  \  Fp.  By  computing 
successive  powers  of  a,  we  can  find  the  minimal  polynomial  ma(X)  of  a  in  A. 
If  a  =  (ai, . . . ,  a^,  it  is  clear  that  ma(X)  is  the  least  common  multiple  of  the 
mai(X ),  and  since  ae^,  the  polynomials  mai(X)  are  polynomials  of  degree 
1.  It  follows  that  ma(X )  is  a  squarefree  polynomial  equal  to  a  product  of  at 
least  two  linear  factors  (since  a  Fp).  Write  ma(X)  =  mi(X)ni2(X)  where 
mi  and  m2  are  non-constant  polynomials  in  Fp  [X].  Since  ma  is  squarefree, 
mi  and  m2  are  coprime,  so  we  can  find  polynomials  U (X)  and  V (X)  in  FP[X] 
such  that  U(X)mi(X)  -1-  V(X)m2(X)  =  1.  We  now  choose  £  =  Umi(a). 
Since  mim2(a)  =  0,  £  is  an  idempotent.  In  addition,  it  is  clear  that  (17,  m2)  = 
(V,  mi)  =  1  and  mi,  m2  non-constant  imply  that  £  ^  0  and  £  7^  1.  □ 

Remark.  Note  that  it  is  not  necessary  to  compute  the  complete  basis  of  the 
kernel  of  (j>  in  order  to  obtain  the  result.  We  need  only,  either  show  that  the 
kernel  V  is  of  dimension  1  (proving  that  A  is  a  field),  or  give  an  element  of  V 
which  is  not  in  the  one-dimensional  subspace  Fp.  Hence,  we  can  stop  algorithm 
2.3.1  as  soon  as  such  an  element  is  found. 

Using  this  proposition,  it  is  easy  to  finish  the  splitting  of  our  ideals  H  = 
Hj.  Set  A  =  O/H  as  before.  Using  the  above  proposition,  either  we  have  shown 
that  A  is  a  field  (hence  H  is  a  prime  ideal,  so  we  have  shown  that  the  splitting 
is  trivial),  or  we  have  found  a  non-trivial  idempotent  £.  Set  Hi  =  H  +  eO, 
H2  =  H  +  (1  —  e)0  where  e  is  any  lift  to  O  of  £.  I  claim  that  H  =  Hi  ■  i?2- 
Indeed,  since  e(l  —  e)  G  H,  it  is  clear  that  Hi  •  H2  C  H.  Conversely,  if  x  G  H 
we  can  write  x  =  ex  +  (1  —  e)x,  and  ex  G  eO  •  H,  (1  —  e)x  G  (1  -  e)0  ■  H  so 
x  G  Hi  •  H2  as  claimed. 

Hence,  we  have  split  H  non-trivially  (since  e  is  a  non-trivial  idempotent) 
and  we  can  continue  working  on  Hi  and  H2  separately.  This  process  terminates 
in  at  most  k  steps,  where  k  is  the  number  of  prime  factors  of  H. 

A  more  efficient  method  would  be  to  use  the  complete  splitting  of  ma(X) 
(in  the  notation  of  the  proof  of  Proposition  6.2.8)  which  gives  a  corresponding 
splitting  of  H  as  a  product  of  more  than  two  ideals.  This  will  be  done  in  the 
algorithm  given  below. 
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Remark.  For  some  applications,  such  as  computing  the  values  of  zeta  and 
L-functions,  it  is  not  necessary  to  obtain  the  explicit  decomposition  of  pO, 
but  only  the  ramification  indices  and  residual  degrees  e*  and  fa.  Once  the  Hj 
above  have  been  computed,  this  can  be  done  without  much  further  work,  as 
explained  in  Exercise  8  (this  remark  is  due  to  H.  W.  Lenstra). 

Once  H  has  been  shown  to  be  a  maximal  ideal  by  successive  splittings, 
what  remains  is  the  problem  of  representing  H.  Since  we  will  have  computed 
an  Fp-basis  (c*i)i<i<m  of  H/pO ,  to  obtain  the  HNF  of  H  we  arbitrarily  lift 
the  oti  to  a,i  €  0,  and  then  do  an  HNF  reduction  of  the  matrix  whose  first  m 
columns  are  the  components  of  the  a*  on  the  Uj,  and  whose  last  n  columns 
form  p  times  the  n  x  n  identity  matrix.  It  is  obviously  possible  to  do  this 
HNF  reduction  modulo  p  (Algorithm  2.4.8),  so  no  coefficient  explosion  can 
take  place. 

Even  after  finding  the  HNF  of  H  we  should  still  not  be  satisfied,  because 
in  practice,  it  is  much  more  efficient  to  represent  prime  ideals  by  a  two-element 
representation.  To  obtain  this,  we  apply  Algorithm  4.7.10.  Note  that  we  know 
the  degree  of  H  (the  number  /  in  the  notation  of  Algorithm  4.7.10),  which  is 
simply  equal  to  n  —  m  (since  pn  =  [O  :  pO\  =  [O  :  H][H  :  pO)  =  pf  pm).  Also 
we  do  not  need  to  compute  the  HNF  of  H  at  all  to  apply  Algorithm  4.7.10 
since  (together  with  p)  the  a*  clearly  form  a  Z^-generating  set. 


6.2.5  Detailed  Description  of  the  Algorithm  for  Prime 
Decomposition 

We  can  summarize  the  preceding  discussions  in  the  following  algorithm 

Algorithm  6.2.9  (Prime  Decomposition).  Let  K  =  Q(0)  be  a  number  field 
given  by  an  algebraic  integer  6  as  root  of  its  minimal  monic  polynomial  T  of  degree 
n.  We  assume  that  we  have  already  computed  an  integral  basis  u>i  =  1,  . . .  ,ujn 
and  the  discriminant  d(K)  of  K,  for  example,  by  using  the  round  2  Algorithm 
6.1.8. 

Given  a  prime  number  p,  this  algorithm  outputs  the  decomposition  p%K  = 
Ill<i<g  Pi‘  by  giving  for  each  i  the  values  of  eit  fa  —  deg(p*)  and  a  two-element 
representation  p*  =  (p,oti).  All  the  ideals  I  which  we  will  use  (except  for  the  final 
pi)  will  be  represented  by  Fp  bases  of  I/pO. 

1.  [Check  if  easy]  If  p\  disc (T)/d(K),  then  by  applying  the  algorithms  of  Section 
3.4  factor  the  polynomial  T(X )  modulo  p,  output  the  decomposition  of  pZk 
given  by  Theorem  4.8.13  and  terminate  the  algorithm. 

2.  [Compute  radical]  Set  q  <—  p,  and  while  q  <  n  set  q  <—  qp.  Now  compute  the 
n  x  n  matrix  A  =  ( aitj )  over  Fp  such  that  a =  J2i<i<na*>jui-  ^ote  t*iat 
the  matrix  of  the  tv*  will  stay  triangular,  so  the  are  easy  to  compute. 

Finally,  using  Algorithm  2.3.1,  compute  a  basis  Pi . Pi  of  the  kernel 

of  the  matrix  A  over  Fp  (this  will  be  a  basis  of  Ip/pO).  (Note  that  this  step 
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has  already  been  performed  as  step  7  of  the  round  2  algorithm,  so  if  the  result 
has  been  kept  it  is  not  necessary  to  recompute  this  again.) 

3.  [Compute  Ki]  Set  K\  <-  Ip/pO  (computed  in  step  2),  i  «-  1  and  while 

Ki  ^  {0}  set  i  <—  i+  1  and  Ki  <—  computed  using  Algorithm  6.2.5. 

4.  [Compute  Jj]  Set  J\  <—  K\  and  for  j  =  set  Jj  <—  KjKj^i  using 

Algorithm  6.2.7. 

5.  [Compute  Hj]  For  j  =  1, . . . ,  i  -  1  set  Wj  <—  JjJ~+i  using  Algorithm  6.2.7, 
and  set  Hi  <—  Ji. 

6.  [Initialize  loop]  Set  j  <—  0,  c  <—  0. 

7.  [Finished?]  If  c  =  0  do  the  following:  if  j  =  i  terminate  the  algorithm,  other¬ 
wise  set  j  <—  j  +  1  and  if  diniF p(Hj)  <  n  set  C  <—  { H ~j}  and  c  <—  1,  else  go 

to  step  7  (£  will  be  a  list  of  c  ideals  of  O/pO). 

8.  [Compute  separable  algebra  ^4]  Let  H  be  an  element  of  C.  Compute  an  Fp- 
basis  of  A  =  O/H  =  (0/p0)/(H/p0)  in  the  following  way.  If  fa,  . . .,  fa 
is  the  given  Fp-basis  of  H,  set  /5r+i  <—  (1,0, .. .  ,0)*  (which  will  be  linearly 
independent  of  the  fa  for  i  <  r  since  1  ^  H),  supplement  this  family  of 
vectors  using  Algorithm  2.3.6  to  a  basis  fa,  . . .  ,  (3n  of  OfpO .  Then,  as  an 
Fp-basis  of  A,  take  @r+i,  . . .  ,  fin.  (This  insures  that  the  first  vector  of  our 
basis  of  A  is  always  (1,0,...,  0)*,  which  would  not  be  the  case  if  we  applied 
Algorithm  2.3.6  directly.) 

9.  [Compute  multiplication  table]  Denote  by  71, . . . ,  7^  the  Fp-basis  of  A  just 
obtained  (hence  7 i  =  0r+i  and  f=n  —  r).  By  using  the  multiplication  table 
of  the  Wi  and  Algorithm  2.3.5,  compute  elements  and  bij ^  in  Fp  such 
that 

lilj  =  ai,j,kjj  +  bijfiPj- 

1 <j<f  1 <j<r 

The  multiplication  table  of  the  7 i  (which  will  be  used  implicitly  from  now  on) 
is  given  by  the  on,j,k  (we  can  forget  the  feij.jt). 

10.  [Compute  V  =  ker(0)]  Let  M  be  the  matrix  of  the  map  a  1— ►  ap  —  a  from  A 
to  A  on  the  Fp  basis  that  we  have  found.  Compute  a  basis  M\  of  the  kernel 
of  M  using  Algorithm  2.3.1.  Note  that  if  some  other  algorithm  is  used  to  find 
the  kernel,  we  should  nonetheless  insure  that  the  first  column  of  M\  is  equal 
to  (1,0,..., 0)*. 

11.  [Do  we  have  a  field?]  If  M\  has  at  least  two  columns  (i.e.  if  the  kernel  of 
M  is  not  one-dimensional),  go  to  step  12.  Otherwise,  set  /  <—  dimp^-A),  let 
(p,  a)  be  tjie  two-element  representation  of  H  obtained  by  applying  Algorithm 
4.7.10  to  H.  Output  j  as  ramification  index,  /  as  residual  degree  of  H,  and 
the  prime  ideal  (p,  a).  Then  remove  H  from  the  list  C,  set  c  <—  c  —  1  and  go 
to  step  7. 

12.  [Find  m(X)]  Let  a  €  A  correspond  to  a  column  of  M\  which  is  not  propor¬ 
tional  to  (1, 0, . . . ,  0)*.  By  computing  the  successive  powers  of  a  in  A,  let 
m(X)  G  Fp[X]  be  the  minimal  monic  polynomial  of  a  in  A. 
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13.  [Factor  m(X )]  (We  know  that  m(X)  is  a  squarefree  product  of  linear  polyno¬ 
mials.)  By  using  one  of  the  final  splitting  methods  described  in  Section  3.4, 
or  simply  by  trial  and  error  if  p  is  small,  factor  m(X)  into  linear  factors  as 
m(X)  =  mi(X)  ■  •  •  mk(X). 

14.  [Split  H]  Let  r  =  dimFp(i?).  For  s  =  1, . . .,  k  do  as  follows.  Set  /3S  <—  rns(a), 
let  Ms  be  the  n  x  (r  +  n)  matrix  over  Fp  whose  first  r  columns  givethe  basis 
of  H  and  the  last  n  express  Uifis  on  the  integral  basis.  Finally,  let  Hs  be  the 
image  of  Ms  computed  using  Algorithm  2.3.2. 

15.  [Update  list]  Remove  H  and  add  Hi , . . . ,  Hk  to  the  list  £,  set  c  <—  c  +  k  —  1 
and  go  to  step  8. 

The  dimension  condition  in  step  7  was  added  so  as  to  avoid  considering 
values  of  j  such  that  there  are  no  prime  ideals  over  p  whose  ramification  index 
is  equal  to  j. 

The  validity  of  steps  14  and  15  of  the  algorithm  is  left  as  an  exercise  for 
the  reader  (Exercise  27). 

Remark.  If  we  want  to  avoid  writing  routines  for  ideal  multiplication  and 
division,  we  can  also  proceed  as  follows.  After  step  2  of  the  above  algorithm 
set  C  <—  {Ip}  and  go  directly  to  step  8  to  compute  the  decomposition  of  the 
separable  algebra  A  =  0/Ip.  In  step  11,  we  must  compute  the  ramification 
index  j  of  each  prime  ideal  found,  and  this  is  easily  done  by  using  Algorithm 
4.8.17.  We  leave  the  details  of  these  modifications  to  the  reader  (Exercise 
11).  This  method  is  in  practice  much  faster  than  the  method  using  ideal 
multiplication  and  division. 


6.3  Computing  Galois  croups 

6.3.1  The  Resolvent  Method 

I  am  indebted  to  Y.  Eichenlaub  for  help  in  writing  this  section. 

Let  K  =  Q(0)  be  a  number  field  of  degree  n,  where  6  is  an  algebraic  integer 
whose  minimal  monic  polynomial  is  denoted  T(X).  An  important  algebraic 
question  is  to  compute  the  Galois  group  Gal(T)  of  the  polynomial  T,  in  other 
words  the  Galois  group  of  the  splitting  field  of  T,  or  equivalently  of  the  Galois 
closure  of  K  in  Q.  Since  by  definition  elements  of  Gal(T)  act  as  permutations 
on  the  roots  of  T,  once  an  ordering  of  the  roots  is  given,  Gal(T)  can  naturally 
be  considered  as  a  subgroup  of  Sn,  the  symmetric  group  on  n  letters.  Changing 
the  ordering  of  the  roots  clearly  transforms  Gal(T)  into  a  conjugate  group, 
and  since  the  ordering  is  not  canonical,  the  natural  objects  to  consider  are 
subgroups  of  Sn  up  to  conjugacy.  It  will  be  important  in  what  follows  to 
remember  that  we  have  chosen  a  specific,  but  arbitrary  ordering,  since  it  will 
sometimes  be  necessary  to  change  it. 
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Furthermore,  since  the  polynomial  T  is  irreducible,  the  group  Gal(T)  is  a 
transitive  subgroup  of  Sn ,  i.e.  there  is  a  single  orbit  for  the  action  of  Gal(T) 
on  the  roots  0*  of  T  (each  orbit  corresponding  to  an  irreducible  factor  of  T). 
Hence,  the  first  task  is  to  classify  transitive  subgroups  of  Sn  up  to  conjugacy. 
This  is  a  non-trivial  (but  purely)  group-theoretical  question.  It  has  been  solved 
up  to  n  =  32  (see  [But-McKay]  and  [Hiil]),  but  the  number  of  groups  becomes 
unwieldy  for  higher  degrees.  We  will  give  the  classification  for  n  <7. 

Note  that  since  the  cardinality  of  an  orbit  divides  the  order  of  Gal(T),  the 
cardinality  of  a  transitive  subgroup  of  Sn  is  divisible  by  n. 

Once  the  transitive  groups  are  classified,  we  must  still  determine  which 
corresponds  to  our  Galois  group  Gal(T).  We  first  note  the  following  simple, 
but  important  proposition. 

Proposition  6.3.1.  Let  An  be  the  alternating  group  on  n  letters  correspond¬ 
ing  to  the  even  permutations.  Then  Gal(T)  C  An  if  and  only  if  disc(T)  is  a 
square. 

Proof.  Let  0*  be  the  roots  of  T.  By  Proposition  3.3.5,  we  know  that 
disc(T)  =  /2,  where  /=  (0j  -  0»). 

l<i<jf<n 

Clearly  f  is  an  algebraic  integer,  and  for  any  a  G  Gal(T)  we  have 

*(/)  =  e(<r)/, 

where  e(a)  denotes  the  signature  of  a.  Hence,  if  Gal(T)  C  An,  all  permutations 
of  Gal(T)  are  even,  so  /  is  invariant  under  Gal(T).  Thus  by  Galois  theory, 
/  G  Z.  Conversely,  if  /  G  Z,  we  have  f  ^  0  since  the  roots  of  T  are  distinct. 
Therefore  e(a)  =  1  for  all  a  G  Gal(T),  so  Gal(T)  C  An.  Note  that  since  An 
is  a  normal  subgroup,  that  a  group  is  a  subgroup  of  An  depends  only  on  its 
conjugacy  class,  and  not  on  the  precise  conjugate.  □ 

We  now  need  to  introduce  a  definition  which  will  be  basic  to  our  work. 

Definition  6.3.2.  Let  G  be  a  subgroup  of  Sn  containing  Gal(T)  (not  up  to 
conjugacy,  but  for  the  given  numbering  of  the  roots),  and  let  F(X  i,  X2, . . . ,  Xn ) 
be  a  polynomial  in  n  variables  with  coefficients  inh.  If  H  is  the  stabilizer  of 
F  in  G,  i.e. 

H  =  {<T  €  G,F  (x,m ,  x,m *„(„,)  =  F(X  1,  X2. . . . ,  X„)}. 

we  define  the  resolvent  polynomial  Rq(F,T)  with  respect  to  G,  F  and  the 
polynomial  T  by 

Ro(F,T)(x)=  n  (X  -  F (e„m,oa(a) . »„(„))), 

crEG/H 
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where  G/H  denotes  any  set  of  left  coset  representatives  of  G  modulo  H. 

When  G  =  Sn,  we  will  omit  the  subscript  in  the  notation. 

It  is  clear  from  elementary  Galois  theory  that  Rg(F,  T)  €  Z[X\.  The  main 
theorem  which  we  will  use  concerning  resolvent  polynomials  is  as  follows. 

Theorem  6.3.3.  With  the  notation  of  the  preceding  definition,  set  m  =  [G  : 
H]  =  deg(i?Gr(F,T)).  Then,  if  Rq{F,T)  is  squarefree,  its  Galois  group  (as  a 
subgroup  of  Sm)  is  equal  to  0(Gal(T)),  where  <f  is  the  natural  group  homo¬ 
morphism  from  G  to  Sm  given  by  the  natural  left  action  of  G  on  G/H .  In 
particular,  the  list  of  degrees  of  the  irreducible  factors  of  Rg(F,T)  in  Z[X] 
is  the  same  as  the  list  of  the  length  of  the  orbits  of  the  action  o/0(Gal(T)) 
on  [1, . . .  ,ra].  For  example,  Rg(F,T )  has  a  root  in  Z  if  and  only  i/Gal(T)  is 
conjugate  under  G  to  a  subgroup  of  H. 

For  the  proof,  see  [Soi]. 

Note  that  it  is  important  to  specify  that  Gal(T)  is  conjugate  under  G, 
since  this  is  a  stronger  condition  than  being  conjugate  under  Sn. 

Now  it  will  often  happen  that  Rg{F,T )  is  not  squarefree.  In  that  case,  to 
be  able  to  apply  the  theorem,  we  use  the  following  algorithm. 

Algorithm  6.3.4  (Tschirnhausen  Transformation).  Given  a  monic  irreducible 
polynomial  T  defining  a  number  field  K  =  Q(0),  we  find  another  such  polynomial 
U  defining  the  same  number  field. 

1.  [Choose  random  polynomial]  Let  n  <—  deg(T).  Choose  at  random  a  polynomial 
A  €  Z[X]  of  degree  less  than  or  equal  to  n  —  1. 

2.  [Compute  characteristic  polynomial]  Using  the  method  explained  in  Section 
4.3,  compute  the  characteristic  polynomial  U  of  a  =  A{6).  In  other  words, 
using  the  sub-resultant  Algorithm  3.3.7,  set  U  <—  Ry(T(Y),X  —  A(T)). 

3.  [Check  degree]  Using  Euclid’s  algorithm,  compute  V  <—  gcd (U,Uf).  If  V  is 
constant,  then  output  U  and  terminate  the  algorithm,  otherwise  go  to  step  1. 

The  validity  of  this  algorithm  is  clear. 

Modifying  T  if  necessary  by  using  such  a  Tschirnhausen  transformation, 
it  is  always  easy  to  reduce  to  the  case  where  Rg(F,T)  is  squarefree. 

Finally,  we  need  some  notation.  The  elements  of  the  set  G/H  will  be 
given  as  products  of  disjoint  cycles,  with  I  denoting  the  identity  permutation. 
Usually,  apart  from  I,  G/H  will  contain  only  transpositions. 

We  denote  by  Cn  the  cyclic  group  Z/nZ,  and  by  Dn  the  dihedral  group  of 
order  2n,  isomorphic  to  the  isometries  of  a  regular  n- gon.  As  before,  An  and  Sn 
denote  the  alternating  group  and  symmetric  group  on  n  letters  respectively. 
Finally,  Ax  B  denotes  the  semi-direct  product  of  the  groups  A  and  B,  where 
the  action  of  B  on  A  is  understood. 
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When  we  compute  a  group,  we  will  output  not  only  the  isomorphism  class 
of  the  group,  but  also  a  sign  expressing  whether  the  group  is  contained  in  An 
(+  sign)  or  not  (—  sign).  This  will  help  resolve  a  number  of  ambiguities  since 
isomorphic  groups  are  not  always  conjugate  in  Sn. 

Let  us  now  examine  in  turn  each  degree  up  to  degree  7.  The  particular 
choices  of  resolvents  that  we  give  are  in  no  way  canonical,  although  we  have 
tried  to  give  the  ones  which  are  the  most  efficient.  The  reader  can  find  many 
other  choices  in  the  literature  ([Stau],  [Gir],  [Soi]  and  [Soi-McKay],  [Eicl]). 
The  validity  of  the  algorithms  given  can  be  checked  using  Theorem  6.3.3. 

In  degrees  1  and  2  there  is  of  course  nothing  to  say  since  the  only  possible 
group  is  Sn  in  these  cases,  so  we  always  output  (Sn,—). 


6.3.2  Degree  3 

In  degree  3,  it  is  obvious  that  the  only  transitive  subgroups  of  S3  are  C3  ~  A3 
and  S3  —  D3  which  may  be  separated  by  the  discriminant.  In  other  words: 

Proposition  6.3.5.  If  n  =  3,  we  have  either  Gal(T)  ~  C3  or  Gal(T)  ~  S3 
depending  on  whether  disc(T)  is  a  square  or  not. 

Thus  we  output  (C3,  +)  or  (S3,—)  depending  on  disc(T). 


6.3.3  Degree  4 

In  degree  4,  there  are  (up  to  conjugacy)  five  transitive  subgroups  of  S4.  These 
are  C4  (the  cyclic  group),  V4  =  Cf  (the  Klein  4-group),  D4  (the  dihedral 
group  of  order  8,  group  of  isometries  of  the  square),  A4  and  54. 

Some  inclusions  are  V4  C  D4  D  A4,  and  C4C  D 4. 

Important  remark:  note  that  although  we  consider  the  groups  only  up  to 
conjugacy,  the  notion  of  inclusion  for  two  groups  G\  and  G2  can  reasonably  be 
defined  by  saying  that  G\  C  G<i  only  when  G\  is  a  subgroup  of  some  conjugate 
of  GV  On  the  other  hand,  when  we  consider  abstract  groups  such  as  V4,  D4, 
etc  . . .  ,  the  notion  of  inclusion  is  much  more  delicate  since  some  subgroups  of 
Sn  can  be  isomorphic  as  abstract  groups  but  not  conjugate  in  Sn.  In  this  case, 
we  write  G\  C  G2  only  if  this  is  valid  for  all  conjugacy  classes  isomorphic  to 
G 1  and  G2  respectively. 

A  simple  algorithm  is  as  follows. 

Algorithm  6.3.6  (Galois  Group  for  Degree  4).  Given  an  irreducible  monic 
polynomial  T  €  Z[X]  of  degree  4,  this  algorithm  computes  its  Galois  group. 

1.  [Compute  resolvent]  Using  Algorithm  3.6.6,  compute  the  roots  0*  of  T  in  C. 
Let 


F  <-  Xi  X\  +  X2X%  +  X3X\  +  XtXl 
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and  let  R  <—  R(F,T),  where  a  system  of  representatives  of  G/H  is  given  by 

G/H  =  {/,  (12),  (13),  (14),  (23),  (34)}. 

Then  round  the  coefficients  of  R  to  the  nearest  integer  (note  that  the  roots 
6i  must  be  computed  to  a  sufficient  accuracy  for  this  rounding  to  be  correct, 
and  the  needed  accuracy  is  easily  determined,  see  Exercise  13). 

2.  [Squarefree?]  Compute  V  <—  (R,R')  using  the  Euclidean  algorithm.  If  V  is  non¬ 
constant,  replace  T  by  the  polynomial  obtained  by  applying  a  Tschirnhausen 
transformation  using  Algorithm  6.3.4  and  go  to  step  1. 

3.  [Factor  resolvent]  Using  Algorithm  3.5.7,  factor  R  over  Z.  Let  L  be  the  list  of 
the  degrees  of  the  irreducible  factors  sorted  in  increasing  order. 

4.  [Conclude]  If  R  is  irreducible,  i.e.  if  L  =  (6),  then  output  (A4,  +)  or  (S4,  — ) 
depending  on  whether  disc(T)  is  a  perfect  square  or  not.  Otherwise,  output 
(C4,  — ),  (V4,  +)  or  (£>4,  — )  depending  on  whether  L  =  (1, 1, 4),  L  =  (2, 2, 2) 
or  L  =  (2,4)  respectively.  Terminate  the  algorithm. 

Note  that  with  this  choice  of  resolvent,  we  have  H  =  C4  =<  (1234)  >,  the 
group  of  cyclic  permutations,  but  this  fact  is  needed  in  checking  the  correctness 
of  the  algorithm,  not  in  the  algorithm  itself,  where  only  G/H  is  used. 

Another  algorithm  which  is  computationally  slightly  simpler  is  as  follows. 
We  give  it  also  to  illustrate  the  importance  of  the  root  ordering. 

Algorithm  6.3.7  (Galois  Group  for  Degree  4).  Given  an  irreducible  monic 
polynomial  T  €  Z[X]  of  degree  4,  this  algorithm  computes  its  Galois  group. 

1.  [Compute  resolvent]  Using  Algorithm  3.6.6,  compute  the  roots  0*  of  T  in  C. 
Let 

F  <-  XxX*  +  X2X4 

and  let  R  *—  R(F,T),  where  a  system  of  representatives  of  G/H  is  given  by 

G/H  =  {/,  (12),  (14)} . 

Round  the  coefficients  of  R  to  the  nearest  integer. 

2.  [Squarefree?]  Compute  V  <—  (R,R')  using  the  Euclidean  algorithm.  If  V  is  non¬ 
constant,  replace  T  by  the  polynomial  obtained  by  applying  a  Tschirnhausen 
transformation  using  Algorithm  6.3.4  and  go  to  step  1. 

3.  [Integral  root?]  Check  whether  R  has  an  integral  root  by  explicitly  computing 
them  in  terms  of  the  0*.  (This  is  usually  much  faster  than  using  the  general 
factoring  procedure  3.5.7.) 

4.  [Can  one  conclude?]  If  R  does  not  have  an  integral  root  (so  R  is  irreducible), 
then  output  (^4,+)  or  (S4,—)  depending  on  whether  disc(T)  is  a  perfect 
square  or  not  and  terminate  the  algorithm.  Otherwise,  if  disc(T)  is  a  square, 
output  (V4,+)  and  terminate  the  algorithm. 
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5.  [Renumber]  (Here  R  has  an  integral  root  and  disc(T)  is  not  a  square.  The 
Galois  group  must  be  isomorphic  either  to  C4  or  to  D4.)  Let  a  be  the  element 
of  54  corresponding  to  the  integral  root  of  R,  and  set  (U)  <—  (£a(i))  0-e.  we 
renumber  the  roots  of  T  according  to  a). 

6.  [Use  new  resolvent]  Set 

d  ((#i  —  #3)(#2  —  04)(0i  +  O3  —  62  —  O4))2 

rounded  to  the  nearest  integer  (with  the  same  remarks  as  before  about  the 
accuracy  needed  for  the  0*).  If  d  ^  0,  output  (C4,  — )  or  ( D4 ,  — )  depending  on 
whether  d  is  a  perfect  square  or  not  and  terminate  the  algorithm. 

7.  [Replace]  (Here  d  =  0.)  Replace  T  by  the  polynomial  obtained  by  applying  a 
Tschirnhausen  transformation  A  using  Algorithm  6.3.4.  Set  0*  <—  A(9i)  (which 
will  be  the  roots  of  the  new  T).  Reorder  the  0*  so  that  0103  +  0204  6  Z,  (only 
the  3  elements  of  G/H  given  in  step  1  need  to  be  tried),  then  go  to  step  6. 

In  principle,  this  algorithm  involves  factoring  polynomials  of  degree  3, 
hence  is  computationally  simpler  than  the  preceding  algorithm,  although 
its  structure  is  more  complicated  due  to  the  implicit  use  of  two  different 
resolvents.  The  first  resolvent  corresponds  to  G  =  S4  and  H  =  D4  =< 
(1234),  (13)  >.  The  second  resolvent  corresponds  to  F  =  X\X%  +  X2A3  + 
XiX\  +  X4Xl  G  =  D4,H  =  C4  and  G/H  =  {/,  (13)},  hence  the  polynomial 
of  degree  2  need  not  be  explicitly  computed  in  order  to  find  its  arithmetic 
structure. 

Remark.  (This  remark  is  valid  in  any  degree.)  As  can  be  seen  from  the  preced¬ 
ing  algorithm,  it  is  not  really  necessary  to  compute  the  resolvent  polynomial 
R  explicitly,  but  only  a  sufficiently  close  approximation  to  its  roots  (which 
are  known  explicitly  by  definition).  To  check  whether  R  is  squarefree  or  not 
can  also  be  done  by  simply  checking  that  R  does  not  have  any  multiple  root 
(to  sufficient  accuracy).  In  fact,  we  have  the  following  slight  strengthening  of 
Theorem  6.3.3  which  can  be  proved  in  the  same  way. 

Proposition  6.3.8.  We  keep  the  notations  of  Theorem  6.3.3,  but  we  do  not 
necessarily  assume  that  Rg(F,T)  is  squarefree.  If  Rq{F,T)  has  a  simple  root 
in  Z,  then  Gal(T)  is  conjugate  under  G  to  a  subgroup  of  H. 

This  proposition  shows  that  it  is  not  necessary  to  assume  Rg(F ,  T)  square- 
free  in  order  to  apply  the  above  algorithms,  as  well  as  any  other  which  depend 
only  on  the  existence  of  an  integral  root  and  not  more  generally  on  the  de¬ 
grees  of  the  irreducible  factors  of  Rg(F,  T).  (This  is  the  case  for  the  algorithms 
that  we  give  in  degree  4  and  5.)  This  remark  should  of  course  be  used  when 
implementing  these  algorithms. 
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6.3.4  Degree  5 

In  degree  5  there  are  also  (up  to  conjugacy)  five  transitive  subgroups  of  S3. 
These  are  C5  (the  cyclic  group),  D$  (the  dihedral  group  of  order  10),  M20  (the 
metacyclic  group  of  degree  5),  A3  and  S3. 

Some  inclusions  are 


C5  c  D3  c  A3  n  M20  ■ 


The  algorithm  that  we  suggest  is  as  follows. 

Algorithm  6.3.9  (Galois  Group  for  Degree  5).  Given  an  irreducible  monic 
polynomial  T  €  Z[X]  of  degree  5,  this  algorithm  computes  its  Galois  group. 

1.  [Compute  resolvent]  Using  Algorithm  3.6.6,  compute  the  roots  6i  of  T  in  C. 
Let 

F  <-  Xl(X2Xs  +  X3X1)  +  Xl(XiX 3  +  X4X5)  +  xl(x  1*5  +  *2X1) 

+  xKx^  +  x3x5)  +  xl(x  1X4  +  x2x3) 

and  let  R  <—  R(F,T),  where  a  system  of  representatives  of  G/H  is  given  by 
G/H  =  (7,(12),  (13),  (14),  (15),  (25)}. 

Round  the  coefficients  of  R  to  the  nearest  integer. 

2.  [Squarefree?]  Compute  V  <—  (R,  R')  using  the  Euclidean  algorithm.  If  V  is  non¬ 
constant,  replace  T  by  the  polynomial  obtained  by  applying  a  Tschirnhausen 
transformation  using  Algorithm  6.3.4  and  go  to  step  1. 

3.  [Factor  resolvent]  Factor  R  using  Algorithm  3.5.7.  (Note  that  one  can  show 
that  either  R  is  irreducible  or  R  has  an  integral  root.  So,  as  in  the  algorithm 
for  degree  4,  it  may  be  better  to  compute  the  roots  of  R  which  are  known 
explicitly.) 

4.  [Can  one  conclude?]  If  R  is  irreducible,  then  output  (A5,  +)  or  (S3,  — )  depend¬ 
ing  on  whether  disc(T)  is  a  perfect  square  or  not,  and  terminate  the  algorithm. 
Otherwise,  if  disc(T)  is  not  a  perfect  square,  output  (M20,— )  and  terminate 
the  algorithm. 

5.  [Renumber]  (Here  R  has  an  integral  root  and  disc(T)  is  a  square.  The  Galois 
group  must  be  isomorphic  either  to  C3  or  to  D3.)  Let  a  be  the  element  of 
S5  corresponding  to  the  integral  root  of  R,  and  set  (£*)  <—  (£a(i))  0-e-  we 
renumber  the  roots  of  T  according  to  a). 

6.  [Compute  discriminant  of  new  resolvent]  Set 

d  *—  ( di82(02  —  #i)  +  0263(62  —  62)  +  #3#4(#4  —  #3) 

+  6463(63  —  64)  +  6361(64  —  fls))2 
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rounded  to  the  nearest  integer  (with  the  same  remarks  as  before  about  the 
accuracy  needed  for  the  0*).  If  d  ^  0,  output  (Cs,  +  )  or  (Dq,+)  depending  on 
whether  d  is  a  perfect  square  or  not,  and  terminate  the  algorithm. 

7.  [Replace]  (Here  d  =  0.)  Replace  T  by  the  polynomial  obtained  by  applying  a 
Tschirnhausen  transformation  A  using  Algorithm  6.3.4.  Set  0*  <—  A(9i)  (which 
will  be  the  roots  of  the  new  T).  Reorder  the  0*  so  that  F(0i,  0i,  03, 04, 0s)  G  Z 
where  F  is  as  in  step  1,  (only  the  6  elements  of  G/H  given  in  step  1  need  to 
be  tried),  then  go  to  step  6. 

The  first  resolvent  corresponds  to  G  =  Sq  and 

H  =  M2q  =<(12345),  (2354) >. 

Step  6  corresponds  implicitly  to  the  use  of  the  second  degree  resolvent  obtained 
with  F  =  X-,Xl  +  X2X%  +  X3X%  +  X4Xg  +  XBX?,  G  =  D5,  H  =  C5  and 
G/H  =  {/,  (12)(35)}. 


6.3.5  Degree  6 

In  degree  6  there  are  up  to  conjugation,  16  transitive  subgroups  of  Sq.  The 
inclusion  diagram  is  complicated,  and  the  number  of  resolvent  polynomials  is 
high.  The  best  way  to  study  this  degree  is  to  work  using  relative  extensions, 
that  is  study  the  number  field  K  as  a  quadratic  or  cubic  extension  of  a  cubic 
or  quadratic  subfield  respectively,  if  they  exist.  This  is  done  in  [01i2]  and 
[BeMaOl] . 

In  this  book  we  have  not  considered  relative  extensions.  Furthermore, 
when  a  sextic  field  is  given  by  a  sixth  degree  polynomial  over  Q,  it  is  not 
immediately  obvious,  even  if  it  is  theoretically  possible,  how  to  express  it 
as  a  relative  extension,  although  the  POLRED  Algorithm  4.4.11  often  gives 
such  information.  Hence,  we  again  turn  to  the  heavier  machinery  of  resolvent 
polynomials. 

It  is  traditional  to  use  the  notation  Gk  to  denote  a  group  of  cardinality 

k.  Also,  special  care  must  be  taken  when  considering  abstract  groups.  For 
example,  the  group  S4  occurs  as  two  different  conjugacy  classes  of  Sq,  one 
which  is  in  Aq,  the  other  which  is  not  (the  traditional  notation  would  then  be 
S£  and  S4  respectively). 

We  will  describe  the  groups  as  we  go  along  the  algorithm.  There  are  many 
possible  resolvents  which  can  be  used.  The  algorithm  that  we  suggest  has  the 
advantage  of  needing  a  single  resolvent,  except  in  one  case,  similarly  to  degrees 
4  and  5. 

Algorithm  6.3.10  (Galois  Group  for  Degree  6).  Given  an  irreducible  monic 
polynomial  T  G  Z[X]  of  degree  6,  this  algorithm  computes  its  Galois  group. 

l.  [Compute  resolvent]  Using  Algorithm  3.6.6,  compute  the  roots  0*  of  T  in  C. 
Let 
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F  <-  XlX$(XIXt+X3Xs)+X$Xl(X1Xs +X3X6)+Xlxl{X1X$+X2Xi) 
+  Xi2X|(X2X5  +  X3X4)  +  X22X^(XiX6  +  X3X4)  +  XlX%(X1X6  +  X2X5) 
+  XfXi(X2X6+  X4X6)  +X22X|(X!X3  +  X4X5)  +  Xfxi(XiX3  +  X2x6) 
+  X?X|(X2X3  +  X5X6)  +  X|X|(XiX4  +  X5X6)  +  X2X|(XiX4  +  X2X3) 
+  X12X22(X3X5+X4X6)+X|X52(X1X2+X4X6)  +  X42X|(X1X2+X3X5) 

and  let  R  <—  R(F,  T),  where  a  system  of  representatives  of  G/H  is  given  by 

G/H  =  (7,(12),  (13),  (14),  (15),  (16)}. 

Round  the  coefficients  of  R  to  the  nearest  integer. 

2.  [Squarefree?]  Compute  V  *—  (R,  R')  using  the  Euclidean  algorithm.  If  V  is  non¬ 
constant,  replace  T  by  the  polynomial  obtained  by  applying  a  Tschirnhausen 
transformation  using  Algorithm  6.3.4  and  go  to  step  1. 

3.  [Factor  resolvent]  Factor  R  using  Algorithm  3.5.7.  If  R  is  irreducible,  then  go 
to  step  5,  otherwise  let  L  be  the  list  of  the  degrees  of  the  irreducible  factors 
sorted  in  increasing  order. 

4.  [Conclude] 

a)  If  L  =  (1,2, 3),  let  f\  be  the  irreducible  factor  of  R  of  degree  equal  to 
3.  Output  ( Cq ,  — )  or  (Dq,—  )  depending  on  whether  disc(/i)  is  a  square  or 
not. 

b)  If  L  —  (3,3),  let  fi  and  f<i  be  the  irreducible  factors  of  R.  If  both 
disc(/i)  and  disc(/2)  are  not  squares  output  (<736,—),  otherwise  output 
(Gi8,  — )•  Note  that  =  Cf  xCl  —  D3XD3,  and  Gi&  =  Cf  XC2  —  C3X.D3. 

c)  If  L  =  (2,4)  and  disc(T)  is  a  square,  output  (5'4,-F).  Otherwise,  if 
L  =  (2,4)  and  disc(T)  is  not  a  square,  let  fi  be  the  irreducible  factor  of  de¬ 
gree  4  of  R.  Then  output  (A4  x  C2,— )  or  (64  x  C2,—)  depending  on  whether 
disc(/i)  is  a  square  or  not. 

d)  If  L  =  (1,1,4)  then  output  (^4,+)  or  (S4,—)  depending  on  whether 
disc(T)  is  a  square  or  not. 

e)  If  L  =  (1,5),  then  output  (PSL2(F5),+)  or  (PGL^Fs),— )  depending 
on  whether  disc(T)  is  a  square  or  not.  Note  that  PSL^Fs)  ~  A$  and  that 

PGL2(F5)~S5. 

f)  Finally,  if  L  =  (1, 1, 1, 3),  output  (S3,—). 

Then  terminate  the  algorithm. 

5.  [Compute  new  resolvent]  (Here  our  preceding  resolvent  was  irreducible.  Note 
that  we  do  not  have  to  reorder  the  roots.)  Let 

F  X1X2X3  +  X4X5X6 

and  let  R  +—  R(F,T),  where  a  system  of  representatives  of  G/H  is  now  given 
by 

G/H  =  {/,  (14),  (15),  (16),  (24),  (25),  (26),  (34),  (35),  (36)}. 

Round  the  coefficients  of  R  to  the  nearest  integer. 
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6.  [Squarefree?]  Compute  V  <—  (R,R')  using  the  Euclidean  algorithm.  IfV  is  non¬ 
constant,  replace  T  by  the  polynomial  obtained  by  applying  a  Tschirnhausen 
transformation  using  Algorithm  6.3.4  and  go  to  step  5. 

7.  [Factor  resolvent]  Factor  R  using  Algorithm  3.5.7  (Note  that  in  this  case  either 
R  is  irreducible,  or  it  has  an  integral  root,  so  again  it  is  probably  better  to 
compute  these  10  roots  directly  from  the  roots  of  T  and  check  whether  they 
are  integral.) 

8.  [Conclude]  If  R  is  irreducible  (or  has  no  integral  root),  then  output  (^6,+)  or 
( Sq ,  — )  depending  on  whether  disc(T)  is  a  square  or  not.  Otherwise,  output 
(^36,+)  or  (G72,  -)  depending  on  whether  disc(T)  is  a  square  or  not.  Then 
terminate  the  algorithm.  Note  that  =  C$  >i  C4  and  G72  =  C3  x  D±. 

The  first  resolvent  corresponds  to  G  =  Sq  and 

H  =  PGL2(F5)  =<(12345),  (16)(23)(45)>. 

The  second  resolvent,  used  in  step  5,  corresponds  to  G  =  Sq  and 
H  =  G72  =<(123),(14)(25)(36),(1524)(36)>. 


Remark.  It  can  be  shown  that  a  sextic  field  has  a  quadratic  subfield  if 
and  only  if  its  Galois  group  is  isomorphic  to  a  (transitive)  subgroup  of  G72. 
This  corresponds  to  the  groups  ( Cq ,-),  (S3,-),  ( Dq , -),  (G is,-),  (G36,-), 
(G36,+)  and  (G72,— ). 

Similarly,  it  has  a  cubic  subfield  if  and  only  if  its  Galois  group  is  isomorphic 
to  a  (transitive)  subgroup  of  S4  x  C2.  This  corresponds  to  the  groups  (Cq,  —), 
(S3,  — ),  (Dq,  — ),  (A4,  +),  (S4,  -F),  (S4,  — ),  (A4  x  C2,  — )  and  (S4  x  C2,  —). 

Hence,  it  has  both  a  quadratic  and  a  cubic  subfield  if  and  only  if  its  Galois 
group  is  isomorphic  to  ( Cq ,  — ),  (S3,  — )  or  (D6,  — ). 

If  the  field  is  primitive,  i.e.  does  not  have  quadratic  or  cubic  subfields,  this 
implies  that  its  Galois  group  can  only  be  PSL^Fs)  ~  A$,  PGL2(F5)  ~  S5,  Aq 
or  Sq. 


6.3.6  Degree  7 

In  degree  7,  there  are  seven  transitive  subgroups  of  S7  which  are  C7,  D7,  M2 1, 
M42,  PSL2(F7)  ~  PSL<3(F2),  A7  and  S7. 

Some  inclusions  are 

C7  C  D7  C  M42  ,  C7  C  M2 1  c  PSL2(F7)  C  A7  and  M2 1  C  M42 . 

In  this  case  there  exists  a  remarkably  simple  algorithm. 

Algorithm  6.3.11  (Galois  Group  for  Degree  7).  Given  an  irreducible  monic 
polynomial  T  e  Z[X]  of  degree  7,  this  algorithm  computes  its  Galois  group. 
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1.  [Compute  resolvent]  Using  Algorithm  3.6.6,  compute  the  roots  0*  of  T  in  C. 
Let 

r  *-  n  (*  -  (»i + + e*)) 

l<i<j<k<7 

which  is  a  polynomial  of  degree  35,  and  round  the  coefficients  of  R  to  the 
nearest  integer. 

2.  [Squarefree?]  Compute  V  «—  (R,R')  using  the  Euclidean  algorithm.  If  V  is  non¬ 
constant,  replace  T  by  the  polynomial  obtained  by  applying  a  Tschirnhausen 
transformation  using  Algorithm  6.3.4  and  go  to  step  1. 

3.  [Factor  resolvent  and  conclude]  Factor  R  using  Algorithm  3.5.7.  If  R  is  ir¬ 
reducible,  then  output  (^7,+)  or  ( Sj ,  — )  depending  on  whether  disc(T)  is 
a  square  or  not.  Otherwise,  let  L  be  the  list  of  the  degrees  of  the  irre¬ 
ducible  factors  sorted  in  increasing  order.  Output  (PSL^Ft),  +),  (M42,— ), 
(M21,  +),  ( D7 ,  — )  or  ( C7 ,  +)  depending  on  whether  L  =  (7,28),  L  =  (14,21), 
L  =  (7,7,21),  L  =  (7,7,7,14)  or  L  =  (7, 7, 7, 7, 7)  respectively.  Then  termi¬ 
nate  the  algorithm. 

Note  that  this  algorithm  does  not  exactly  correspond  to  the  framework 
based  on  Theorem  6.3.3  but  it  has  the  advantage  of  being  very  simple,  and 
computationally  not  too  inefficient.  It  does  involves  factoring  a  polynomial  of 
degree  35  over  Z  however,  and  this  can  be  quite  slow.  (To  give  some  idea  of  the 
speed:  on  a  modern  workstation  the  algorithms  take  a  few  seconds  for  degrees 
less  than  or  equal  to  6,  while  for  degree  7,  a  few  minutes  may  be  required 
using  this  algorithm.) 

Several  methods  can  be  used  to  improve  this  basic  algorithm  in  practice. 
First  of  all,  one  expects  that  the  overwhelming  majority  of  polynomials  will 
have  Sj  as  their  Galois  group,  and  hence  that  our  resolvent  will  be  irreducible. 
We  can  test  for  irreducibility,  without  actually  factoring  the  polynomial,  by 
testing  this  modulo  p  for  small  primes  p.  If  it  is  already  irreducible  modulo 
p  for  some  p ,  then  there  is  no  need  to  go  any  further.  Of  course,  this  is 
done  automatically  if  we  use  Algorithm  3.5.7,  but  that  algorithm  will  start 
by  doing  the  distinct  degree  factorization  3.4.3,  when  it  is  simpler  here  to  use 
Proposition  3.4.4. 

Even  if  one  expects  that  the  resolvent  will  factor,  we  can  use  the  divisibility 
by  7  of  the  degrees  of  its  irreducible  factors  in  almost  every  stage  of  the 
factoring  Algorithm  3.5.7. 

Another  idea  is  to  use  the  resolvent  method  as  explained  at  the  begin¬ 
ning  of  this  chapter.  Instead  of  factoring  polynomials  having  large  degrees,  we 
simply  find  the  list  of  all  cosets  a  of  G  modulo  H  such  that 

F  (^cr(l)  >  ®o{2)  J  ■  ■  •  ,  0<7 (n))  €  Z  • 

If  there  is  more  than  one  coset,  this  means  that  the  resolvent  is  not  squarefree, 
hence  we  must  apply  a  Tschirnhausen  transformation.  If  there  is  exactly  one, 
then  the  Galois  group  is  isomorphic  to  a  subgroup  of  H,  and  the  coset  gives 
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the  permutation  of  the  roots  which  must  be  applied  to  go  further  down  the 
tree  of  subgroups.  If  there  are  none,  the  Galois  group  is  not  isomorphic  to  a 
subgroup  of  H.  Of  course,  all  this  applies  to  any  degree,  not  only  to  degree  7. 

As  the  reader  can  see,  I  do  not  give  explicitly  the  resolvents  and  cosets 
for  degree  7.  The  resolvents  themselves  are  as  simple  as  the  ones  that  we 
have  given  in  lower  degrees.  On  the  other  hand,  the  list  of  cosets  is  long.  For 
example  for  the  pair  (S7l  M42)  we  need  120  elements.  This  is  cumbersome 
to  write  down.  It  should  be  noted  however  that  the  resulting  algorithm  is 
much  more  efficient  than  the  preceding  one  (again  at  most  a  few  seconds  on 
a  modern  workstation).  These  cosets  and  resolvents  in  degree  7,  8,  9,  10  and 
11  may  be  obtained  in  electronic  form  upon  request  from  M.  Olivier  (same 
address  as  the  author). 


6.3.7  A  List  of  Test  Polynomials 

As  a  first  check  of  the  correctness  of  an  implementation  of  the  above  algo¬ 
rithms,  we  give  a  polynomial  for  each  of  the  possible  Galois  groups  occurring 
in  degree  less  than  or  equal  to  7.  This  list  is  taken  from  [Soi-McKay].  Note  that 
for  many  of  the  given  polynomials,  it  will  be  necessary  to  apply  a  Tschirn- 
hausen  transformation.  We  list  first  the  group  as  it  is  output  by  the  algorithm, 
then  a  polynomial  having  this  as  Galois  group. 

(Slt-):X 
(S2,-):  X2+X  +  l 
(C3,  +  ):  X3  +  X2  —  2X  —  1 
(S3-):  X3  +  2 

(C4,  — ):  X4+X3  +  X2  +X+1 

(V4,+):X4  +  1 

(£>4,-):  X4  —  2 

(A4,  +  ):  X4  +  8X  +  12 

(S4,-):  X4  +  X  +  l 

(C5,+):  X5  +  X4  -  4X3  -  3X2  +  3X  +  1 

(£>5,  +  ):  X5  —  5X  +  12 

{M2 0,  — ):  X5  +  2 

(A5,+):  X5  +20X  +  16 

(55,-):  X5-X+l 

(C6,-):  X6  +  X5+X4  +  X3  +X2+X+1 

(S3,-):  X6  +  108 

(Dq,—):  X6  +  2 

(A4,  +  ):  X6  —  3X2  —  1 

(Gis,-):  X6  +  3X3  +  3 

(A4  x  C2,  — ):  X6  —  3X2  +1 

(S4,+):  X6  —  4X2  —  1 
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(S4,  -):  X6  -  3X5  +  6X4  -  7X3  +  2X2  +  X  -  4 

(G36,-):X6+2X3-2 

(G36 , + ) :  X6  +  6X4  +  2X3  +  9X2  +  6X  -  4 

(S4xC2,-):  X6  +  2X2  +  2 

(PSL2(F5),+)  ^  (i45,+):  X6  -  2X5  —  5X2  —  2X  -  1 

(G72,~):  X6  +  2X4  +  2X3  +  X2  +  2X  +  2 

(PGL2(F5), -)  ~  (55, -):  X6  -  X5  -  10X4  +  30X3  -  31X2  +  7X  +  9 
(A6,+):  X6  +  24X  —  20 
(S6,-):X6+X  +  1 

(C7,  +):  X7  +  X6  -  12X5  -  7X4  +  28X3  +  14X2  -  9X  +  1 
(D7,~):  X7  +  7X3  +  7X2  +  7X  —  1 
(M2 i,+):  X7  -  14X5  +  56X3  -  56X+  22 
(M42,— ):  X7  +  2 

(PSL2(F7),  +  )  ~  (PSL3(F2),  +  ):  X7-  7X3  +14X2  -7X  +1 
(A7,+):  X7  +  7X4  +  14X  +  3 
(57,— ):  X7+X  +  l 


6.4  Examples  of  Families  of  Number  Fields 

6.4.1  Making  Tables  of  Number  Fields 

It  is  important  to  try  to  describe  the  family  of  all  number  fields  (say  of  a  given 
degree,  Galois  group  of  the  Galois  closure  and  signature)  up  to  isomorphism. 
Unfortunately,  this  is  a  hopeless  task  except  for  some  special  classes  of  fields 
such  as  quadratic  fields,  cyclic  cubic  fields,  cyclotomic  fields,  etc.  We  could, 
however,  ask  for  a  list  of  such  fields  whose  discriminant  is  in  absolute  value 
bounded  by  a  given  constant,  i.e.  ask  for  tables  of  number  fields.  We  first  ex¬ 
plain  briefly  how  this  can  be  done,  referring  to  [Mart]  and  [Pohl]  for  complete 
details. 

We  need  two  theorems.  The  first  is  an  easy  result  of  the  geometry  of 
numbers  (which  we  already  used  in  Section  2.6  to  show  that  the  LLL  algorithm 
terminates)  which  we  formulate  as  follows. 

Proposition  6.4.1.  There  exists  a  positive  constant  'yn  having  the  following 
property.  In  any  lattice  (L,  q )  of  Rn,  there  exists  a  non- zero  vector  x  such 
that  q(x)  <  'ynD2^n  where  D  =  det(L)  =  det(Q)1/2  is  the  determinant  of  the 
lattice  (here  Q  is  the  matrix  of  q  in  some  Jj-basis  of  L,  see  Section  2.5). 

See  for  example  [Knu2]  (Section  3.3.4,  Exercise  9)  for  a  proof. 

The  best  possible  constant  7 n  is  called  Hermite’s  constant,  and  is  known 
only  for  n  <  8: 


7i  =  l.  7I  =  f,  71  =  2,  74  =4,  7f  =  8,  7!  =y,  7?  =  64,  7|  =  256. 
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For  larger  values  of  n,  the  recursive  upper  bound 

-/n  <  ^(n-1)n/(”-2) 

In  —  ln-1 

gives  useful  results.  The  best  known  bounds  are  given  for  n  <  24  in  [Con-Slo], 
Table  1.2  and  Formula  (47). 

The  basic  theorem,  due  to  Hunter  (see  [Hun]  and  Exercise  26),  is  as  follows. 


Theorem  6.4.2  (Hunter).  Let  K  be  a  number  field  of  degree  n  over  Q.  There 
exists  9  E  TLk  \  Z  having  the  following  property.  Call  9i  the  conjugates  of  9  in 
K.  Then 


|2<lTr(9)2  +  7„-1 

r- 7  n 


|d(/m1/(n-1) 

n  ) 


where  d(K)  is  the  discriminant  of  K  and  Tr(0)  =  is  the  trace  of  9 

over  Q.  In  addition,  we  may  assume  that  0  <  Tr(0)  <  n/2. 


This  theorem  is  used  as  follows.  Assume  that  we  want  to  make  a  table 
of  number  fields  of  degree  n  and  having  a  given  signature,  with  discriminant 
d(K)  satisfying  \d(K)\  <  M  for  a  given  bound  M.  Then  replacing  d(K)  by 
M  in  Hunter’s  theorem  gives  an  upper  bound  for  the  |0j|  and  hence  for  the 
coefficients  of  the  characteristic  polynomial  of  9  in  K. 

If  K  is  primitive,  i.e.  if  the  only  subfields  of  K  are  Q  and  K  itself,  then 
since  9  ^  Z  we  know  that  K  =  Q(9),  and  thus  we  obtain  a  finite  (although 
usually  large)  collection  of  polynomials  to  consider.  Most  of  these  polynomials 
can  be  discarded  because  their  roots  will  not  satisfy  Hunter’s  inequality.  Oth¬ 
ers  can  be  discarded  because  they  are  reducible,  or  because  they  do  not  have 
the  correct  signature.  Note  that  a  given  signature  will  give  several  inequali¬ 
ties  between  the  coefficients  of  acceptable  polynomials,  and  these  should  be 
checked  before  using  Sturm’s  Algorithm  4.1.11  which  is  somewhat  longer.  (We 
are  talking  of  millions  if  not  billions  of  candidate  polynomials  here,  depending 
on  the  degree  and,  of  course,  the  size  of  M.) 

Finally,  using  Algorithm  6.1.8  compute  the  discriminant  of  the  number 
fields  corresponding  to  each  of  the  remaining  polynomials.  This  is  the  most 
time-consuming  part.  After  discarding  the  polynomials  which  give  a  field  dis¬ 
criminant  which  is  larger  than  M  in  absolute  value,  we  have  a  list  of  poly¬ 
nomials  which  define  all  the  number  fields  that  we  are  interested  in.  Many 
polynomials  may  give  the  same  number  field,  so  this  is  the  next  thing  to 
check.  Since  we  have  computed  an  integral  basis  for  each  polynomial  dur¬ 
ing  the  computation  of  the  discriminant  of  the  corresponding  number  field, 
we  can  use  the  POLRED  algorithm  (or  more  precisely  Algorithm  4.4.12)  to 
give  a  pseudo-canonical  polynomial  for  each  number  field.  This  will  eliminate 
practically  all  the  coincidences. 

When  two  distinct  polynomials  give  the  same  field  discriminant,  we  must 
now  check  whether  or  not  the  corresponding  number  fields  are  isomorphic, 
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and  this  is  done  by  using  one  of  the  algorithms  given  in  Section  4.5.4.  Note 
that  this  will  now  occur  very  rarely  (since  most  cases  have  been  dealt  with 
using  Algorithm  4.4.12). 

If  the  field  K  is  not  primitive,  we  must  use  a  relative  version  of  Hunter’s 
theorem  due  to  Martinet  (see  [Mart]),  and  make  a  separate  table  of  imprimitive 
fields. 

In  the  rest  of  this  chapter  we  will  give  some  examples  of  families  of  number 
fields. 

The  simplest  of  all  number  fields  (apart  from  Q  itself)  are  quadratic  fields. 
This  case  has  been  studied  in  detail  in  Chapter  5,  and  we  have  also  seen  that 
there  exist  methods  for  computing  regulators  and  class  groups  which  do  not 
immediately  generalize  to  higher  degree  fields.  Note  also  that  higher  degree 
fields  are  not  necessarily  Galois. 

The  next  simplest  case  is  probably  that  of  cyclic  cubic  fields,  which  we 
now  consider. 


6.4.2  Cyclic  Cubic  Fields 

Let  K  be  a  number  field  of  degree  3  over  Q,  i.e.  a  cubic  field.  If  K  is  Galois 
over  Q,  its  Galois  group  must  be  isomorphic  to  the  cyclic  group  Z/3Z,  hence 
we  say  that  If  is  a  cyclic  cubic  field.  The  Galois  group  has,  apart  from  its 
identity  element,  two  other  elements  which  are  inverses.  We  denote  them  by 
a  and  cr-1  =  a2.  The  first  proposition  to  note  is  as  follows. 

Proposition  6.4.3.  Let  K  =  Q(0)  be  a  cubic  field,  where  9  is  an  algebraic 
integer  whose  minimal  monic  polynomial  will  be  denoted  P(X).  Then  K  is  a 
cyclic  cubic  field  if  and  only  if  the  discriminant  of  P  is  a  square. 

Proof.  This  is  a  restatement  of  Proposition  6.3.5.  □ 

This  proposition  clearly  gives  a  trivial  algorithm  to  check  whether  a  cubic 
field  is  Galois  or  not. 

In  the  rest  of  this  (sub)section,  we  assume  that  K  is  a  cyclic  cubic  field. 
Our  first  task  is  to  determine  a  general  equation  for  such  fields.  Let  9  be  an 
algebraic  integer  such  that  K  =  Q(0),  and  let  P(X)  =  X3  -  SX 2  +  TX  -  N 
be  the  minimal  monic  polynomial  of  9 ,  with  integer  coefficients  5,  T  and  N. 

Note  first  that  since  any  cubic  field  has  at  least  one  real  embedding  (as 
does  any  odd  degree  field)  and  since  K  is  Galois,  all  the  roots  of  P  must  be 
in  K  hence  they  must  all  be  real,  so  a  cyclic  cubic  field  must  be  totally  real 
(i.e.  ri  =  3  real  embeddings,  and  ri  =  0  complex  ones).  Of  course,  this  also 
follows  because  the  discriminant  of  P  is  a  square. 

In  what  follows,  we  set  £  =  e2i?r/3,  i.e.  a  primitive  cube  root  of  unity.  Since 
K  is  totally  real,  C,  £  K,  hence  the  extension  field  K{ £)  is  a  sixth  degree  field 
over  <Q>.  It  is  easily  checked  that  it  is  still  Galois,  with  Galois  group  generated 
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by  commuting  elements  a  and  r,  where  cr  acts  on  K  as  above  and  trivially  on 
C,  and  r  denotes  complex  conjugation. 

The  first  result  that  we  need  is  as  follows. 


Lemma  6.4.4.  Set  i  =  9+ ^a(9)  +  £a'z(9)  €  K(£),  and  (3  =  7Vr(7)-  Then 
(3  E  Q(C)  and  we  have 


P(X)  =  X3-  SX 2  +  s2~ex~— — 35e  +  eu , 

v  }  3  27 

where  we  have  set  e  =  (3t((3)  and  u  =  @  +  t(/3)  (i.e.  e  and  u  are  the  norm  and 
trace  of  (3  considered  as  an  element  ofQ(Q). 


Proof.  We  have  r( 7)  =  9  +  £<r(0)  +  C2&2{6)-  One  sees  immediately  that 
<7(7)  =  C7  and  cr(r(7))  =  C2r(7)  hence  {3  is  invariant  under  the  action  of 
a,  so  by  Galois  theory  (3  must  belong  to  the  quadratic  subfield  Q(C)  of 
In  particular,  e  and  u  as  defined  above  are  in  Q.  Now  we  have  the  matrix 
equation 


1  1  1 
1  c2  C 
1  C  C2 


9  \ 
L 

a2(9) 


so  it  follows  by  inverting  the  matrix  that 


6 

cr(0) 

a2(9) 


From  the  formulas  1  =  9a(9)  +  9a2{9)  +  a{9)a2{9)  and  N  =  9a(9)a2(9 ),  a 
little  computation  gives  the  result  of  the  lemma.  □ 


We  will  now  modify  9  (hence  its  minimal  polynomial  P{X))  so  as  to  obtain 
a  unique  equation  for  each  cyclic  cubic  field.  First  note  that  replacing  7  by 
( b  +  c£)7  is  equivalent  to  changing  9  into  b9  +  ca(9),  and  (3  is  changed  into 

>+o2 

H  b  +  cp  ‘ 

Let  Pk  be  the  primes  which  split  in  Q(C)  (as  pk  =  i-e-  such  that  Pk=  1 

(mod  3),  let  qk  be  the  inert  primes,  i.e.  such  that  qk  =  2  (mod  3),  and  let 
P  =  1  +  2£  =  y/—2>  be  a  ramified  element  (i.e.  a  prime  element  above  the 
prime  3).  We  can  write 

b+cC  =  (-C )9Pf  II 7 JJ  7f^/fc  Yl  Q9k  ■ 


Hence,  since  b  +  c£2  =  b  +  c£,  we  have 
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= (-1)S+v  n^-/‘  ir- 

If  the  decomposition  of  (3  (which  is  in  Q(C)  but  perhaps  not  in  Z[£])  is 

^=(-c)nPron<kn^‘iic 

then  we  can  choose  gk  =  —nk  and  /  =  —m.  Furthermore,  for  each  k  consider 
the  quantity  +  2 Ik-  If  it  is  congruent  to  0  or  1  modulo  3,  we  will  choose 
efc  =  [(—  rnk  —  2 Ik  +  1)/3J  and  fk=h+  2 e^.  If  it  is  congruent  to  2  modulo 
3,  then  Ik  +  2 ra*,  =  1  (mod  3)  and  we  choose  fk  =  [(— h  ~  2 mfc  +  1)/3J  and 

Cfc  =  TT^k  2/fc. 

It  is  easy  to  check  that,  with  this  choice  of  exponents,  the  new  value  of  (3 
is  an  element  of  Z[£]  (and  not  only  of  Q(C)),  is  not  divisible  by  any  inert  or 
ramified  prime,  and  is  divisible  by  split  primes  only  to  the  first  power.  Also,  at 
most  one  of  7 or  Wk  divides  (3.  In  other  words,  if  e  =  (3r{(3)  is  the  new  value 
of  the  norm  of  /5,  then  e  is  equal  to  a  product  of  distinct  primes  congruent  to 
1  modulo  3. 

Finally,  since  1  +  C  +  C2  =  0,  if  we  change  9  into  a  +  6  with  a  €  Q,  then  7 
does  not  change  and  so  neither  do  (3  or  e.  Taking  a  =  S/ 3,  we  obtain  a  new 
value  of  6  whose  trace  is  equal  to  0.  Putting  all  this  together  we  have  almost 
proved  the  following  lemma. 

Lemma  6.4.5.  For  any  cyclic  cubic  field  K,  there  exists  a  unique  pair  of 
integers  e  and  u  such  that  e  is  equal  to  a  product  of  distinct  primes  congruent 
to  1  modulo  3,  u  =  2  (mod  3)  and  such  that  K  =  Q (9')  where  9'  is  a  root  of 
the  polynomial 

Q(X)=X*~  \X-fr 
or  equivalently  K  =  Q(9)  where  9  is  a  root  of 

P(X)  =  27Q(X/3)  =  X3  —  3eX  -  eu . 


Proof  Since  (3  =  (u  +  vy/—3)/2,  u  cannot  be  divisible  by  3  since  (3  is  not 
divisible  by  the  ramified  prime.  Hence,  by  suitably  choosing  the  exponent  g 
above  (which  amounts  to  changing  (3  into  —(3  if  necessary),  we  may  assume 
u  =  2  (mod  3). 

For  the  uniqueness  statement,  note  that  all  the  possible  choices  of  genera¬ 
tors  of  K  are  of  the  form  a+  b9  +  ca(9),  and  since  we  want  a  trace  equal  to  0, 
this  gives  us  the  value  of  a  as  a  function  of  b  and  c,  where  these  last  values  are 
determined  because  we  want  e  to  be  equal  to  a  product  of  primes  congruent 
to  1  modulo  3,  hence  (3  is  unique.  The  last  statement  is  trivial.  □ 


We  can  now  state  the  main  theorem  of  this  section. 
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Theorem  6.4.6.  All  cyclic  cubic  fields  K  are  given  exactly  once  (up  to  iso¬ 
morphism)  in  the  following  way. 

(1)  If  the  prime  3  is  ramified  in  K,  then  K  =  <Q>(0)  where  9  is  a  root  of  the 
equation  with  coefficients  in  Z 

P{X)  =  X3-^X-—,  where 
3  27 

e  =  ^ ^ 1  u  ,  u  =  6  (mod  9),  3  ft;,  u  =  v  (mod  2),  v  >  0 

and  e/9  is  equal  to  the  product  of  distinct  primes  congruent  to  1  modulo  3. 

(2)  If  the  prime  3  is  unramified  in  K,  then  K  =  Q{9)  where  6  is  a  root  of  the 
equation  with  coefficients  in  Z 

P(X)  =  X3-X2  +  ^AX  -  1~3e  +  e^,  where 

6  27 

e  =  U  ,  u  =  2  (mod  3),  u  =  v  (mod  2),  v  >  0 

and  e  is  equal  to  the  product  of  distinct  primes  congruent  to  1  modulo  3. 

In  both  cases ,  the  discriminant  of  P  is  equal  to  e2v 2  and  the  discrim¬ 
inant  of  the  number  field  K  is  equal  to  e2 . 

(3)  Conversely,  if  e  is  equal  to  9  times  the  product  of  t  —  1  distinct  primes 
congruent  to  1  modulo  3,  ( resp.  is  equal  to  the  product  of  t  distinct  primes 
congruent  to  1  modulo  3),  then  there  exists  up  to  isomorphism  exactly  2t~1 
cyclic  cubic  fields  of  discriminant  e2  defined  by  the  polynomials  P(X)  given 
in  (1)  (resp.  (2)). 


To  prove  this  theorem,  we  will  need  in  particular  to  compute  explicitly 
integral  bases  and  discriminants  of  cyclic  cubic  fields.  Although  there  are 
other  (essentially  equivalent)  methods,  we  will  apply  the  round  2  algorithm 
to  do  this. 

So,  let  K  be  a  cyclic  cubic  field.  By  Lemma  6.4.5,  we  have  K  =  Q(0) 
where  9  is  a  root  of  the  equation 


2  o  2 

P(X)  —  X 3  —  3eX  —  eu ,  where  e  =  u  v  ,  u  =  2  (mod  3) 

and  e  is  equal  to  a  product  of  distinct  primes  congruent  to  1  modulo  3. 

We  first  prove  a  few  lemmas. 

Lemma  6.4.7.  Let  p  |  e.  Then  the  order  Z[0]  is  p-maximal. 

Proof.  We  apply  Dedekind’s  criterion.  Since  p  \  e,  P{X)  =  X 3,  therefore 
with  the  notations  of  Theorem  6.1.4,  ti(X)  =X,  g{X)  =X,  h(X)  =  X2 
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and  f(X)  =  (3 e/p)X  +  eu/p.  Since  p  \  e  we  cannot  have  p  \  u,  otherwise 
p  |  v,  hence  p2  \  e  which  was  assumed  not  to  be  true.  Therefore,  p  \  eu/p  so 
(/,  <7,  h)  =  1,  showing  that  Z[9]  is  p-maximal.  □ 

Corollary  6.4.8.  The  discriminant  of  P(X)  is  equal  to  81e*vz.  The  discrim¬ 
inant  of  the  number  field  K  is  divisible  by  e2. 

Proof.  The  discriminant  of  X 3  +  aX  +  b  is  equal  to  —(4a3  +  27 b2)  (see  Exercise 
7  of  Chapter  3),  hence  the  discriminant  of  P  is  equal  to 

—  (4(— 3e)3  +  27eV)  =-27e2(u2  -  4e)  =  81eV 

thus  proving  the  first  formula.  For  the  second,  we  know  that  the  discriminant 
of  the  field  K  is  a  square  divisor  of  81e2u2.  By  the  preceding  lemma,  Z[9] 
is  p-maximal  for  all  primes  dividing  e,  and  since  e  is  coprime  to  81u2,  the 
primes  for  which  Z[9]  may  not  be  p-maximal  are  divisors  of  81u2,  hence  the 
discriminant  of  K  is  divisible  by  e2.  □ 

Since,  as  we  will  see,  the  prime  divisors  of  v  other  than  3  are  irrelevant, 
what  remains  is  to  look  at  the  behavior  of  the  prime  3. 

Lemma  6.4.9.  Assume  that  3  \  v.  Then  Z[6]  is  3 -maximal. 

Proof.  Again  we  use  Dedekind’s  criterion.  Since  eu  =  2  (mod  3),  we  have 
P  =  (X+  l)3  in  Y3[X]  hence  h{X)  =  X+1,  g(X)  =  X+  1,  h{X)  =  (X+  l)2 
and  f(X)  =  X2  +  {e  +  1)X+  (1  +  eu)/3  =  {X+  1)(X  +  e)  +  (eu  +  1  -  3e)/3 
hence 

(7 ,9,h)  =  (X  +  1,/)=  ( X  +  1,  (eu  +  1  —  3e)/3). 

Now  we  check  that 

eu  +  1  —  3e  _  (u2  +  3 v2)(u  —  3)  +  4  (u  —  2 )2(u  +  1)  +  3 v2(u  —  3) 

r=  3  =  12  =  12 

hence,  since  u  =  2  (mod  3),  4r  =  v2(u  —  3)  (mod  9)  and,  in  particular,  since 
3  \  v,  r  =  1  (mod  3)  so  (/,  <7,  h)  =  1,  which  proves  the  lemma.  □ 

Lemma  6.4.10.  With  the  above  notation,  let  9  be  a  root  of  P(X)  =  X3  — 
3eX  —  eu,  where  e  =  (u2  +  3d2)/4  and  u  =  2  (mod  3).  The  conjugates  of  9 
are  given  by  the  formulas 


V  2v  V 


2/n,  2e  u  —  v  „  1  9 

a2 (9)  =  —  +  — — 9  -  -92. 
v  2v  v 


2v 
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Proof.  From  the  proof  of  Proposition  6.4.3,  we  have  /  =  (9  —  92)(92  —  #3)(#3  — 
9)  =  ±9ei>  (since  the  discriminant  is  equal  to  81e2u2).  If  necessary,  by  ex¬ 
changing  92  and  #3,  we  may  assume  that  92  —  9$  =  9 evf{9  —  92){9  —  93 )  = 
9 ev/P'{9)  =  9eu/(302  —  3e).  Using  the  extended  Euclidean  algorithm  with 
A(X )  =  X3  —  3eX  —  eu  and  B(X)  =  X2  —  e,  one  finds  immediately  that  the 
inverse  of  B  modulo  A  is  equal  to  {2X2  —  uX  —  4e)/(3u2e)  hence 

92  -03  =  -{292  -u9-4e). 
v  ' 

On  the  other  hand,  since  the  trace  of  9  is  equal  to  0,  we  have  #2  +  #3  =  —  9, 
and  the  formulas  for  92  =  a (9)  and  9$  =  a2  (9)  follow  immediately. 

It  would  of  course  have  been  simple,  but  less  natural,  to  check  directly 
with  the  given  formulas  that  (X—  9)(X  —  a (9)) (X—  u2 (0))  =  X3  —  3eX  —  eu. 

□ 

We  can  now  prove  a  theorem  which  immediately  implies  the  first  two 
statements  of  Theorem  6.4.6. 

Theorem  6.4.11.  Let  K  =  Q(9)  be  a  cyclic  cubic  field  where  9  is  a  root  of 
X3  —  3eX  —  eu  =  0  and  where,  as  above,  e  =  (u2  +  3v2)/4  is  equal  to  a  product 
of  distinct  primes  congruent  to  1  modulo  3. 

(1)  Assume  that  3  \  v.  Then  (1 ,9,a(9))  (where  a(9)  is  given  by  the  above 
formula)  is  an  integral  basis  of  K  and  the  discriminant  of  K  is  equal  to 
(9e)2. 

(2)  Assume  now  that  3  |  v.  Then,  if  9'  =  {9  +  T)f3,  (1 ,9' ,cr(9'))  is  an  integral 
basis  of  K  and  the  discriminant  of  K  is  equal  to  e2 . 

Proof.  1)  Since  92  =  va(9)  +  ((u  +  v)/2)9  +2e,  the  Z-module  O  generated  by 
(1, 9 ,  <j(9))  contains  Z[#].  One  computes  immediately  (in  fact  simply  from  the 
formula  that  we  have  just  given  for  92)  that  Z[9]  is  of  index  v  in  O.  Hence, 
the  discriminant  of  O  is  equal  to  81e2.  Since  we  know  that  Z[9\,  and  a  fortiori 
that  O  is  3-maximal  and  p-maximal  for  every  prime  dividing  e,  it  follows  that 
O  is  the  maximal  order,  thus  proving  the  first  part  of  the  theorem. 

2)  We  now  consider  the  case  where  3  |  v.  The  field  K  can  then  be  defined 
by  the  polynomial 

Q(X)  =  P(3X  -  l)/27  =  X3-X2  +  ±^X  -  1~3e+en. 

3  2  * 

Since  e  =  1  (mod  3),  u  =  2  (mod  3)  and  3  |  v,  a  simple  calculation  shows  that 
Q  e  Z[X],  Furthermore,  from  Proposition  3.3.5  the  discriminant  of  Q  is  equal 
to  the  discriminant  of  P  divided  by  36,  i.e.  to  e2(v/3)2.  Set  9'  =  (9  + 1)/3, 
which  is  a  root  of  Q,  and  let  O  be  the  Z-module  generated  by  (1 ,9',<r(9')). 
We  compute  that 
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fa>\  2  +  u  +  3v —  4e  4  -\-u-\-vQi  ,  3^/2 
a{e)  = - fo - 2^~0+~6 


V 


and  so,  as  in  the  proof  of  the  first  part,  one  checks  that  O  D  Z[0']  and  [O  : 
Z[0']]  =  v/3.  Therefore  the  discriminant  of  O  is  equal  to  e2.  By  Corollary 
6.4.8  the  discriminant  of  K  must  also  be  divisible  by  e2,  and  so  the  theorem 
follows.  □ 


Proof  of  Theorem  6.4  6.  First,  we  note  that  the  polynomials  given  in  Theorem 
6.4.6  are  irreducible  in  <Q>[X]  (see  Exercise  17). 

From  Theorem  6.4.11,  one  sees  immediately  that  3  is  ramified  in  K  (i.e.  3 
divides  the  discriminant  of  K)  if  and  only  if  3  \  v.  Hence,  Lemma  6.4.5  tells  us 

Q 

that  K  is  given  by  an  equation  P(X)  =  X  —  3 eX—eu  (with  several  conditions 
on  e  and  u ).  If  we  set  u\  =  3  u,  v±=v  and  e\  =  9e,  we  have  e\  =  (u2  +  27u2)/4, 
m  =  6  (mod  9),  3  |  ui,  and  P(X)  =  X 3  —  (ei/3)X  —  (eiWi)/27  as  claimed  in 
Theorem  6.4.6  (1). 

Assume  now  that  3  is  not  ramified,  i.e.  that  3  |  v.  From  the  proof  of 
the  second  part  of  Theorem  6.4.11,  we  know  that  K  can  be  defined  by  the 
polynomial  X3  —  X2  +  ((1  —  e) /3)X  —  (1  —  3e  +  eu) /27  €  S[X]  and  this  time 
setting  e±  =  e,  Vi  =  v/3  and  ui  =  u,  it  is  clear  that  the  second  statement  of 
Theorem  6.4.6  follows. 

We  still  need  to  prove  that  any  two  fields  defined  by  different  polynomials 
P(X)  given  in  (1)  or  (2)  are  not  isomorphic,  i.e.  that  the  pair  (e,  u)  deter¬ 
mines  the  isomorphism  class.  This  follows  immediately  from  the  uniqueness 
statement  of  Lemma  6.4.5.  (Note  that  the  e  and  u  in  Lemma  6.4.5  are  either 
equal  to  the  e  and  u  of  the  theorem  (in  case  (2)),  or  to  e/9  and  u/3  (in  case 
(!))•) 

Let  us  prove  (3).  Assume  that  e  is  equal  to  a  product  of  t  distinct  primes 
congruent  to  1  modulo  3  (the  case  where  e  is  equal  to  9  times  the  product 
of  t  —  1  distinct  primes  congruent  to  1  modulo  3  is  dealt  with  similarly,  see 
Exercise  18).  Let  A  =  Z[(l  +  y/— 3)/2]  be  the  ring  of  algebraic  integers  of 
Q(y/— 3).  It  is  trivial  to  check  (and  in  fact  we  have  already  implicitly  used 
this  in  the  proof  of  (2))  that  if  a  €  A  with  3  \  N{a),  there  exists  a  unique  a' 
associate  to  a  (i.e.  generating  the  same  principal  ideal)  such  that 

a'  =  (u  +  3vy/—3)/2 ,  u  =  2  (mod  3). 

Furthermore,  since  A  is  a  Euclidean  domain  and  in  particular  a  PID,  Proposi¬ 
tion  5.1.4  shows  that  if  Pi  is  a  prime  congruent  to  1  modulo  3,  then  Pi  = 
for  a  unique  a*  =  ( w*  +  3viy/—3)/2  with  w*  =  2  (mod  3)  and  u*  >  0. 

Hence,  if  e  =  rii<i<<Pi>  then  e  =  (u2  +  27u2)/4  =  A f(u  +  3vy/^3)/2  if 
and  only  if 

(u  +  3vy/—3)/2  =  J]  pi 

1  <i<t 

where  pi  =  a*  or  Pi  =  a*,  and  this  gives  2*  solutions  to  the  equation  e  = 
(u2+  27v2)/4.  (Note  that  using  associates  of  Pi  do  not  give  any  new  solutions.) 
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But,  we  have  seen  above  that  the  isomorphism  class  of  a  cyclic  cubic  field  is 
determined  uniquely  by  the  pair  (e,  u)  satisfying  appropriate  conditions.  Since 
e  =  (u2  +  27(— u)2)/4  gives  the  same  field  as  e  =  (u2  +  27v2)/4,  this  shows, 
as  claimed,  that  there  exist  exactly  2t~1  distinct  values  of  u,  hence  2t~1  non¬ 
isomorphic  fields  of  discriminant  e2.  This  finishes  the  proof  of  Theorem  6.4.6. 

□ 

Corollary  6.4.12.  With  the  notation  of  Theorem  6.4-6  (i-£-  not  those  of 
Theorem  6-4-11 ),  the  conjugates  of  9  are  given  by  the  formula 

o*(9)  =  T  + 

\)v  bv  v 

when  3  is  ramified  in  K  (i.e.  in  case  (1)),  and  by  the  formula 

a±i(0)  =  9v  ±  (u  +  2  ~  4e)  +  — 3u  +  (u+  4)  1  2 

18u  '  6v  v 

when  3  is  not  ramified  in  K  (i.e.  in  case  (2)). 

In  addition,  in  all  cases  the  discriminant  of  the  polynomial  P  is  equal 
to  e2v2,  the  discriminant  of  the  field  K  is  equal  to  e2  and  (1 ,9,a(8))  is  an 
integral  basis  of  K. 

The  proof  of  this  corollary  follows  immediately  from  Lemma  6.4.10  and 
the  proof  of  Theorems  6.4.11  and  6.4.6.  □ 

For  another  way  to  describe  cyclic  cubic  fields  parametrically  see  Exercise 

21. 


6.4.3  Pure  Cubic  Fields 

Another  class  of  fields  which  is  easy  to  describe  is  the  class  of  pure  cubic  fields, 
i.e.  fields  K  =  Q(\/m)  where  m  is  an  integer  which  we  may  assume  not  to  be 
divisible  by  a  cube  other  than  ±1. 

The  defining  polynomial  is  P(X)  =  X 3  —  m  whose  discriminant  is  equal 
to  —27 mz.  Let  9  be  the  root  of  this  polynomial  which  is  in  K. 

As  in  the  case  of  cyclic  cubic  fields,  we  must  compute  the  maximal  order  of 
K.  This  is  very  easy  to  do  using  Dedekind’s  criterion  (see  Exercise  2).  I  would 
like  to  show  however  how  the  Pohst-Zassenhaus  Theorem  6.1.3  is  really  used  in 
the  round  2  algorithm,  so  I  will  deliberately  skip  the  steps  of  Algorithm  6.1.8 
which  use  the  Dedekind  criterion.  This  will  of  course  make  the  computations 
longer,  but  will  illustrate  the  full  use  of  the  round  2  algorithm. 

Let  p  be  a  prime  dividing  m  and  not  equal  to  3.  Then  p2  divides  the 
discriminant  of  P.  Let  r  be  1  if  p  =  1  (mod  3),  r  =  2  if  not.  Then,  clearly 
9P  =  m^p~r^39r.  Hence,  in  the  basis  1,  9 ,  92  the  matrix  of  the  Frobenius  at  p 
(or  of  its  square  if  p  =  2)  is  clearly  equal  to 
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1  0 
0  0 
0  0 


0 

0 

0 


This  implies  that  a  basis  of  the  p-radical  is  given  by  (8, 82).  Hence,  in  step  9 
we  take  cni  =  8,  a2  =  82  and  0:3  =  p. 

The  9  by  3  matrix  C  is  obtained  by  stacking  the  following  three  matrices: 

/I  0  0  \  /0  0  0\  /0  0  0\ 

I  0  1  0  I,  I  1  0  0  I,  I  0  0  0  I. 

^0  0  m/p  J  ^0  m/p  0  J  0  0  J 

It  follows  from  the  first  three  equations  that,  if  p2  \  m ,  the  kernel  of  C  is 
trivial,  hence  that  Z[8]  is  p-maximal.  Therefore,  we  will  write 

m  =  ab 2 ,  a  and  b  squarefree,  (a,  b)  =  1 . 

Indeed,  a  is  chosen  squarefree,  but  since  m  is  cubefree  the  other  conditions 
follow. 

With  these  notations,  we  have  just  shown  that  if  p  \  a  then  Z[0]  is  p- 
maximal.  Take  now  p  \  b  (still  with  p  ^  3).  The  kernel  of  the  matrix  C  is  now 
clearly  generated  over  Fp  by  the  column  vector  (0,0, 1)  corresponding  to  8Z, 
hence  in  step  10  we  will  compute  the  Hermite  normal  form  of  the  matrix 

/0  p  0  0\ 

0  0  p  0  . 

\1  0  0  p) 

This  is  clearly  equal  to  the  matrix 

(p  0  0\ 

I  0  p  0  I, 

\0  0  1/ 


thus  enlarging  the  order  Z[0]  to  the  order  whose  Z-basis  is  (1 ,  0,02/p).  If  we 
apply  the  round  2  algorithm  again  to  this  new  order,  one  checks  immediately 
that  the  new  matrix  C  will  be  the  same  as  the  one  above  with  m/p  replaced 
by  m/p2.  Since  m  is  cubefree,  this  is  not  divisible  by  p  which  shows  that  the 
kernel  is  trivial  and  so  the  new  order  is  p-maximal. 

Putting  together  all  the  local  pieces,  we  can  enlarge  our  order  to  (1, 8, 82 /b') 
where  b'  =  b  if  3  {  6,  b'  =  6/3  if  3  |  b.  This  order  will  then  be  p- maximal  for 
every  prime  p  except  perhaps  the  prime  3,  which  we  now  consider. 

We  start  from  the  order  (l,0,02/6')  and  consider  separately  the  cases 
where  3  |  m  and  3  \  m. 

Assume  first  that  3  |  m.  The  matrix  of  the  Frobenius  with  respect  to  the 
basis  (1,0, 82  /b')  is  equal  to 
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/l  m  a2b4/b,6\ 

0  0  0  , 

\0  0  0  / 

and  modulo  3  both  m  and  a2b4fb '3  are  equal  to  0.  Hence,  as  in  the  case  p  ^  3, 
the  kernel  of  the  Frobenius  is  generated  by  ( 0,02/6 ').  Therefore,  in  step  9 
we  take  ai  =  9,  a 2  =  02/6'  and  013  =  3.  The  matrix  C  is  then  obtained  by 
stacking  the  following  three  matrices: 

/I  0  0  \  /0  0  m/b,2\  /0  0  0\ 

[0  6'  0  ),  [  1  0  0  |,  [  0  0  0  ). 

\0  0  m/(36')  J  \0  m/(36')  0  )  \\  0  0/ 

Since  3  {  6'  but  3  |  m,  we  have  m/6'2  =  0  (mod  3).  On  the  other  hand,  m/(36') 
is  equal  to  0  modulo  3  if  and  only  if  32  |  m,  i.e.  3  |  6.  Hence,  we  consider  two 
sub-cases. 

If  3  \  6,  the  first  three  relations  show  that  the  kernel  of  C  is  equal  to  0 
and  so  our  order  is  3-maximal.  Thus,  in  that  case  6'  =  6  so  an  integral  basis 
is  (l,0,02/6)  and  the  discriminant  of  the  field  K  is  equal  to  — 27a262. 

If  3  |  6,  the  kernel  of  C  is  generated  by  (0,0,1)  corresponding  to  92/b'. 
The  Hermite  normal  form  obtained  in  step  10  is,  as  for  p  ^  3,  equal  to  the 
matrix 

/  3  0  0\ 

0  3  0  I, 

\0  0  V 

giving  the  larger  order  (1, 0, 02/6'/3)  =  (1,0, 92/b). 

Since  the  discriminant  of  this  order  is  still  divisible  by  9,  we  must  start 
again.  A  similar  computation  shows  that  the  matrix  C  is  obtained  by  stacking 
the  following  3  matrices: 

/I  0  0  \  /0  0  a\  f 0  0  0\ 

00  0  ,1  0  0,  000 

\0  0  a6/3  /  \0  a6/3  0/  \1  0  0/ 

and  since  3  \  ab/3 ,  the  first,  third  and  sixth  relation  show  that  the  kernel  of  C 
is  trivial,  hence  that  our  order  is  now  3-maximal.  So  if  3  |  6,  an  integral  basis 
is  (1,0, 02/6)  and  the  discriminant  of  K  is  equal  to  — 27a262,  giving  exactly 
the  same  result  as  when  3  \  6. 

We  now  assume  that  3  \  m,  and  so  in  particular  we  have  6'  =  6.  The  matrix 
of  the  Frobenius  is  equal  to 


1  ab2  a2b 
0  0  0 
0  0  0 
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Since  a2  =  b2  =  1  (mod  3),  this  shows  that  the  kernel  of  the  Frobenius  is 
equal  to  the  set  of  elements  x  +  yd  +  z92  jb  such  that  x+  ay  +  bz  =  0  (mod  3). 
Hence  modulo  3  it  is,  for  example,  generated  by  ( 9  —  a,  92/b  —  b).  This  means 
that  in  step  9  we  can  take  a:i  =  9  —  a,  oti  =  92/b  —  b  and  a 3  =  3.  The  matrix 
C  is  obtained  by  stacking  the  following  three  matrices: 

/I  -a  0  \  /0  -6  a  \  /0  0  0\ 

0  6  -a  I,  I  1  0  -b  1,  0  0  0  1. 

\0  (b2-a2)/ 3  0  /  \0  0  (a2  —  62)/3 J  \1  a  bj 

We  consider  two  subcases.  First  assume  that  a 2  ^  b2  (mod  9).  Then  from  the 
first,  third  and  sixth  relation  we  see  that  the  kernel  of  C  is  trivial,  hence  that 
our  order  is  3-maximal.  This  means,  as  in  the  case  3  |  m,  that  (1,9, 92/b)  is 
an  integral  basis  and  the  discriminant  of  K  is  equal  to  —27 a2b2. 

Assume  now  that  a 2  =  b2  (mod  9).  In  this  case,  one  sees  easily  that  the 
kernel  of  C  is  generated  by  (b,ab,  1)  corresponding  to  92/b+  ab9+  b,  and  the 
computation  of  the  Hermite  normal  form  of  the  matrix 

l  b  3  0  0\ 

|  ab  0  3  0 
\  1  0  0  3/ 

leads  to  the  matrix 

/3  0  b  \ 

0  3  ab), 

\0  0  1  j 

thus  giving  a  larger  order  generated  by  (1,9,  (92  +  ab29  +  b2)/(Sb)),  and  the 
discriminant  of  this  order  being  equal  to  —3 a2b2,  hence  not  divisible  by  32, 
this  enlarged  order  is  3-maximal. 

We  summarize  what  we  have  proved  in  the  following  theorem. 

Theorem  6.4.13.  Let  K  =  Q(^m)  be  a  pure  cubic  field,  where  m  is  cubefree 
and  not  equal  to  ±1.  Write  m  =  ab2  with  a  and  b  squarefree  and  coprime.  Let 
9  be  the  cube  root  of  m  belonging  to  K.  Then 

(1)  If  a2  ^  b2  (mod  9)  then 


is  an  integral  basis  of  K  and  the  discriminant  of  K  is  equal  to  —27a2b2. 
(2)  If  az  =  6^  (mod  9)  then 


92  +  ab29  +  b2\ 
3  b  ) 


is  an  integral  basis  of  K  and  the  discriminant  of  K  is  equal  to  —Za2b2. 
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Proof.  Simply  note  that  since  a  and  6  are  coprime,  when  3  |  m  we  cannot  have 
a 2  =  b2  (mod  9).  □ 

Remark.  The  condition  a2  =  b2  (mod  9)  is  clearly  equivalent  to  the  condition 
m  =  ±1  (mod  9). 


6.4.4  uecomposition  of  Primes  in  Pure  Cubic  Fields 

As  examples  of  applications  of  Algorithm  6.2.9,  we  will  give  explicitly  the 
decomposition  of  primes  in  pure  cubic  fields.  We  could  also  treat  the  case  of 
cyclic  cubic  fields,  but  the  results  would  be  a  little  more  complicated. 

Let  9  be  the  real  root  of  the  polynomial  X3  -  m,  and  let  K  =  Q(9). 
First  consider  the  case  of  “good”  prime  numbers  p,  i.e.  such  that  p  does  not 
divide  the  index  [Z k  '•  Z[0]]  (which,  by  Theorem  6.4.13  is  equal  to  36  or  6 
depending  on  whether  a 2  =  b2  (mod  9)  or  not).  In  this  case  we  can  directly 
apply  Theorem  4.8.13.  In  other  words  the  decomposition  of  pTLk  mimics  that 
of  the  polynomial  T(X)  =  X3  -  m  modulo  p. 

Now  this  decomposition  is  obtained  as  follows  (compare  with  Section  1.4.2 
where  the  Legendre  symbol  is  defined). 

Proposition  6.4.14.  Let  p  be  a  prime  number  not  dividing  m.  The  decom¬ 
position  of  X3  —  m  modulo  p  is  of  the  following  type. 

(1)  Ifp  =  2  (mod  3),  then  X3  —  m  =  (X  -  u)(X2  —  vX  +  w )  (mod  p)  (where 
it  is  of  course  implicitly  understood  that  the  polynomial  X2  —  vX  4 -  w  is 
irreducible  in  FP[.X] ). 

(2)  Ifp  =  1  (mod  3)  andm^-1^3  =  1  (mod  p)  then  X3  —  m  =  (X  —  ui)(AT  — 
U2)(X  —  us)  (mod  p),  where  ui,  U2  and  u$  are  distinct  elements  o/Fp. 

(3)  If  p  =  1  (mod  3)  and  m^p-1^3  ^  1  (mod  p),  then  X3  —  m  is  irreducible 
in  Fp[X]. 

(4)  Ifp  =  3,  then  X3  -  m  =  (X  -  a)3  (mod  p). 


Proof.  Consider  the  group  homomorphism  <j)  such  that  <j>(x)  =  x3  from  F*  into 
itself.  It  is  clear  that  if  <f>(x)  =  1,  then  ( x  —  l)(a;2  +  x  +  1)  =  0  (in  Fp)  hence 

(z-1)((2z  +  1)2  +  3)  =  0. 

If  p  =  2  (mod  3)  the  quadratic  reciprocity  law  1.4.7  shows  that  (^)  =  — 1, 
hence  —3  is  not  equal  to  a  square  in  Fp.  This  shows  that  (2x  +  l)2  +  3  =  0is 
impossible,  hence  that  the  function  (p  is  injective,  hence  bijective.  In  particular, 
there  exists  a  unique  u  €  Fp  such  that  <p(u)  =  m,  hence  a  unique  root  of  X3—m 
in  Fp,  proving  (1). 

For  (2)  and  (3),  by  quadratic  reciprocity  we  have  (^)  =  1,  hence  there 
exists  z  €  F*  such  that  z2  =  —3.  This  immediately  implies  that  the  kernel  of  (p 
has  exactly  3  elements,  and  hence  that  the  image  of  <p  has  (p  —  l)/3  elements. 
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Furthermore,  if  g  is  a  primitive  root  modulo  p,  then  clearly  the  image  of  <j>  is 
the  set  of  elements  x  of  the  form  g3k  for  0  <  k  <  (p  —  l)/3,  and  these  are 
exactly  those  elements  such  that  o;(p-i)/3  =  1  in  Fp,  proving  (2)  and  (3). 
Finally,  (4)  is  trivial.  □ 

When  p  j  m  we  trivially  have  X 3  —  m  =  X 3  (mod  p),  so  we  immediately 
obtain  the  following  corollary  in  the  “easy”  cases  where  p  does  not  divide  the 
index. 

Corollary  6.4.15.  As  above  let  K  =  Q(-(/m)  and  recall  that  we  have  set 
m  =  ab2 .  Assume  that  p  \  b  and  that  if  a2  =  b2  (mod  9),  then  also  p  3. 
Then  the  decomposition  ofpZic  is  given  as  follows. 

(1)  Ifp  |  a,  then  pZx  =  p3  where  p  =  pZx  +  9Zk- 

(2)  Ifp  \  a  and  p  =  2  (mod  3),  then  pZj<  =  pip2  where  pi  =  pZx  +  {9  —  u)Zk 
is  an  ideal  of  degree  1  and  p2  —  V^K  +  (#2  —  v6  +  w)Zk  is  an  ideal  of 
degree  2. 

(3)  If  p  \  a,  p  =  1  (mod  3)  and  m (p-1)/3  =  1  (mod  p),  then  p%K  =  P1P2P3 
where  p*  =  p%K  +  (0  —  Ui)Zx  are  three  distinct  ideals  of  degree  1. 

(4)  If  p  \  a,  p  =  1  (mod  3)  and  ^  1  (mod  p),  then  the  ideal  pZx  is 

inert. 

(5)  Ifp  =  3  and  p\  a,  then  pZk  =  p3,  where  p  =  pZjc  +  (0  —  a)Zx  is  an  ideal 
of  degree  1. 


We  must  now  consider  the  more  difficult  cases  where  p  divides  the  index. 
Here  we  will  follow  the  Algorithm  6.2.9  more  closely,  and  we  will  skip  the 
detailed  computations  of  products  and  quotients  of  ideals,  which  are  easy  but 
tedious. 

Assume  first  that  a2  ^  b2  (mod  9).  Then  Theorem  6.4.13  tells  us  that 
1,  6 ,  02fb  is  an  integral  basis,  and  according  to  the  algorithm  described  in 
Section  6.2  we  start  by  computing  the  p-radical  of  Z k,  assuming  that  p  |  b.  It 
is  easily  seen  that  the  matrix  of  the  Frobenius  at  p  (or  its  square  for  p  =  2)  is 
always  equal  to  the  matrix 

f1  0  °\ 

0  0  0 

\0  0  0/ 

in  Fp.  Therefore  ( 8 , 02/b)  is  an  Fp-basis  of  Ip.  From  this,  using  Algorithm  6.2.5 
we  obtain  the  following  Fp  bases. 

K~i  =  (0, 92/b),  K 2  =  (9)  and  K]  =  {0}  for  j  >  3. 

As  a  consequence,  using  Algorithm  6.2.7  we  obtain 
J\  =  J2  =  J3  =  {6,92/b),  and  Jj  =  (1 ,9,92/b)  for  j  >  4. 

From  this,  it  is  clear  that  we  have  Hi  =  i72  =  H3  =  K\  and  Hj  =  Z k 
for  j  >  4,  from  which  it  follows  that 
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pZK  =  ATf. 


Since  K  is  a  field  of  degree  equal  to  3,  this  implies  that  K\  is  a  prime  ideal 
(which  of  course  can  be  checked  directly  since  it  is  of  norm  p).  This  shows 
that  p  is  totally  ramified,  and  the  unique  prime  ideal  p  above  p  is  generated 
over  Z  by  ( p,9 , 92/b). 

Note  that  most  of  these  computations  can  be  avoided.  Indeed,  once  we 
know  a  Z-basis  of  7p,  a  trivial  determinant  computation  shows  that  7P  is  of 
norm  p,  hence  is  a  prime  ideal  of  degree  1.  Using  the  notations  of  Section  6.2, 
it  follows  that  g  =  1  and  that  pZ#  =  7®1  and  since  we  are  in  a  field  of  degree 
3,  the  relation  Yh  eifi  =  3  tells  us  that  e\  =  3,  thus  showing  that  p  is  totally 
ramified. 

We  have  kept  the  computations  however,  so  that  the  reader  can  check  his 
implementation  of  ideal  multiplication  and  division. 

Assume  now  that  a 2  =  b 2  (mod  9).  Recall  that  in  this  case  we  have  3  f  b. 
Then  Theorem  6.4.13  tells  us  that  1,  0,  ( 9 2  +  ab29  +  62)/(36)  is  an  integral 
basis,  and  we  must  first  compute  the  p-radical  of  Z^,  assuming  that  p  |  36. 

Consider  first  the  case  where  p  ^  3,  i.e.  p  |  6.  It  is  easily  seen  that  the 
matrix  of  the  Frobenius  at  p  (or  its  square  for  p  =  2)  is  still  equal  to  the 
matrix 

(1  0  0\ 

(  0  0  0  ) 

\  0  0  0  / 


in  Fp  hence  we  obtain  that  a  Fp-basis  of  Ip  is  (0,  ( 0 2  +  ab26  4-  62)/(36)).  As 
in  the  preceding  case,  one  checks  trivially  that  Ip  has  norm  equal  to  p  so  is  a 
prime  ideal  of  degree  1,  so  as  before  p  is  totally  ramified  and  pZ#  =  Ip.  For 
the  sake  of  completeness  (or  again  as  exercises),  we  give  the  computations  as 
they  would  have  been  carried  out  without  noticing  this. 

By  Algorithm  6.2.5  we  obtain  the  following  Fp-bases. 

K[  =  ( 0 ,  ( 0 2  +  ab26  +  62)/(36)),  ~K~2  =  {9)  and  K •  =  {0}  for  j  >  3. 

As  a  consequence,  using  Algorithm  6.2.7,  we  obtain 

Jl  =  T2  =  J3  =  (9,  (62  +  ab29  +  62)/(36)),  and  Tj  =  (1, 9 ,  (92  +  ab29  + 
62)/(36))  for  j  >  4. 

From  this,  as  before,  we  have  Hi  =  H2  =  Z#,  H$  =  K\  and  Hj  =  Z#  for 
j  >  4,  from  which  it  follows  that 


pZK  =  K*. 

Therefore  p  is  totally  ramified,  and  the  unique  prime  ideal  p  above  p  is  gen¬ 
erated  over  Z  by  (p,  9,  (92  +  a&20  +  62)/(36)). 

Finally,  still  assuming  a2  =  62  (mod  9),  consider  the  case  p  =  3.  The 
matrix  of  the  Frobenius  at  3  is  now  equal  to  the  matrix 
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/  ^  ^2  b(a*—2b*  +3cf* bz  —  Zaz b*  +0* b * )  \ 

0  0 

^0  0  &2  1±a l±aW  ) 

with  coefficients  in  F3.  Since  a2  =  b 2  (mod  9)  and  3  \  ab ,  we  have 

1  +  a2  +  a2b 2  =  1  +  a2  +  a4  =  (1  —  a2)(l  +  2a2)  +  3a4  =  3a4  (mod  9), 

hence  3  f  (1  +  a2  +  a2b2)/ 3.  This  shows  that  (3,0  —  a,  (02  +  ab26  +  b2)/b)  is  a 
Z-basis  of  Ip,  and  hence  (6  —  a)  is  an  Fp-basis  of  Ip.  Here  the  norm  of  Ip  is 
equal  to  9,  so  we  cannot  obtain  the  decomposition  of  3Zx  directly,  and  it  is 
really  necessary  to  do  the  computations  of  Algorithm  6.2.9 
By  Algorithm  6.2.5,  we  obtain  the  following  F3-bases. 

K\  —  (6  —  a)  and  Kj  —  {0}  for  j  >  2. 

As  a  consequence,  using  Algorithm  6.2.7,  we  obtain 
Ji  =  (0-a),  J2  =  (0  -  a,  (02  +  ab20  +a2b4)/(3b))  and  Jj  =  (1,0,  (02  + 
ab20  +  b2)/(3b))  for  j  >  3. 

From  this  we  obtain  (after  lifting  to  O)  that  Hi  =  (3,0  —  a,  (02  +  ab20  — 
b2(  1  +  a2))/(36)),  H2  =  J2  =  (3, 0-a,  (02  +  ab20  +  a2b4)/(3b ))  and  H,  =  ZK 
for  j  >  3.  It  is  immediately  checked  (for  example  using  the  determinant  of  the 
matrix  of  Hj)  that  Hi  and  H2  are  of  norm  equal  to  3,  hence  are  prime  ideals. 
Thus,  we  obtain  that  the  prime  ideal  decomposition  of  3Z^  is  given  by 

3Z*  =  HyHl 

where  Hi  and  H2  are  distinct  prime  ideals  with  Z-basis  given  above.  Hence, 
3  is  ramified  (as  it  must  be  since  the  discriminant  of  the  field  is  divisible  by 
3),  but  not  totally  ramified  as  in  the  case  a 2  ^  b2  (mod  9). 

We  summarize  the  above  in  the  following  theorem. 

Theorem  6.4.16.  Let  (1,0,  u)  be  the  integral  basis  ofZjc  given  by  Theorem 
6. 4-13  (hence  oj  =  02/b  if  a2  =£  b2  (mod  9),  u>  =  (02  +  ab20  +b2)/(3b)  if 
a2  =  b2  (mod  9) ).  Then 

(1)  If  p  |  b,  then  p  is  totally  ramified,  and  we  have  p%K  =  P3>  where  p  is  a 
prime  ideal  of  degree  1  given  by 

p  =  pZ  +  0Z  +  u>Z  =  pZx  "H  bfZ x  • 

(2)  If  p  =  3  and  a2  =  b2  (mod  9),  then  3  is  partially  ramified  and  we  have 
3Z k  =  pip\  where  pi  and  p2  are  prime  ideals  of  degree  1  given  by 

pi  =  3Z  +  (0  —  a)Z  +  (to  —  6(2  +  a2) /3)Z  =  3Zr  +  (uj  —  6(a2  +  2) /3)Zx 

and 

P2  =  3Z  -) ~  (0  —  a)Z  (w  —  6(a2  —  1)/3)Z  =  3Z k  -I-  otZj^ 

where 

a  =  w  —  b(a2  —  l)/3  if  a2b4  ^  1  (mod  27) , 
a  =  u+  0  —  a  —  b(a2  —  l)/3  if  a264  =  1  (mod  27) . 
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Proof.  We  have  shown  everything  except  the  generating  systems  over  Z k-  If 
p  |  b,  a  simple  HNF  computation  shows  that  one  has  pZ#  +  uZk  =  (p,  6 ,  u>). 

If  p  =  3  and  a 2  =  62  (mod  9) ,  we  could  also  check  the  result  via  a  HNF 
computation.  Another  method  is  to  notice  that  3Zx  —  P1P2  an(I  tlia-t  if  we 
set  ot\=  oj  —  b(a2  +  2)/3,  then  ai  G  p1?  but  ai  £  p2  otherwise  pi  C  P2  which 
is  absurd,  so  that  =  pfq  with  q  prime  to  3,  so  3Z^  +  aqZx  =  pi- 

For  p2,  if  we  set  «2  =  w  -  b(a 2  -  l)/3,  then  again  0:2  e  P2  and  01.2  £  pi- 
Hence  a2  =  p2q  with  q  prime  to  3.  This  implies  that  3Z#  +  a2ZK  =  p™in(e’2) 
hence  this  can  be  equal  to  p2  or  to  its  square.  To  distinguish  the  two  cases,  we 
must  compute  the  norm  of  a2,  whose  3-adic  valuation  will  be  equal  to  e.  As  it 
happens,  it  is  simpler  to  work  with  the  norm  of  a2  =  a2  +  b(a2b2  +  a2  —  2)/3 
(note  that  a2b 2  4-  a2  —  2  =  (a2  —  l)(a2  +  2)  (mod  9)  hence  3Z k  4-  oc2Zk  = 
3Z  k  4-  oc'2Zk )• 

One  computes  that  n  =  M{a2)  =  o26(l  —  a2b4)2/ 27.  Hence,  if  a2b4  ^  1 
(mod  27),  the  3-adic  valuation  of  n  is  equal  to  1,  therefore  3Z k  +  0:2 Zk  =  p2- 
If  a2b4  =  1  (mod  2)7,  a  similar  computation  shows  that  the  3-adic  valua¬ 
tion  of  Af(a2  +6  —  a)  is  equal  to  1,  thus  proving  the  theorem.  □ 


6.4.5  General  Cubic  Fields 

In  this  section,  we  give  without  proof  a  few  results  concerning  the  decompo¬ 
sition  of  primes  in  general  cubic  extensions  of  Q. 

Let  AT  be  a  cubic  field.  The  discriminant  d(K)  of  the  number  field  K  can 
(as  any  discriminant)  be  written  in  a  unique  way  in  the  form  d{ K)  =  df 2  where 
d  is  either  a  fundamental  discriminant  or  is  equal  to  1.  The  field  k  =  Q(Vd) 
is  either  Q  if  d  =  1,  or  is  a  quadratic  field,  and  is  the  unique  subfield  of  index 
3  of  the  Galois  closure  of  K. 

In  particular,  cyclic  cubic  fields  correspond  to  d  =  1,  i.e.  k  =  Q,  and  pure 
cubic  fields  correspond  to  d  =  —3,  i.e.  k  =  Q(\/— 3)  the  cyclotomic  field  of 
third  roots  of  unity. 

Let  p  be  a  prime  number.  If  p  \  d(K),  then  p  is  unramified.  Therefore  by 
Proposition  4.8.10  we  have  the  following  cases. 

(1)  If  =  —1,  then  g  —  2.  Hence,  we  have  a  decomposition  of  p  in  the 

form  pZk  =  P1P2  where  pi  is  a  prime  ideal  of  degree  1  and  p2  is  a  prime 
ideal  of  degree  2. 

(2)  if  (mi)  =  x,  then 

g  is  odd.  Hence,  either  p  is  inert  or  pZx  is  equal  to  the 
product  of  three  prime  ideals  of  degree  1. 

If  p  does  not  divide  the  index  [Z k  -  Z[0]]  where  K  =  Q(0),  then 
the  two  cases  are  distinguished  by  the  splitting  modulo  p  of  the  minimal 
polynomial  T(X)  of  6. 

If  p  divides  the  index,  then  T  has  at  least  a  double  root  modulo  p.  If 
T  has  a  double  root,  but  not  a  triple  root,  then  T  also  has  a  simple  root 
which  corresponds  to  a  prime  ideal  of  degree  1.  In  this  case  pZx  is  the 
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product  of  three  ideals  of  degree  1.  Finally,  if  T  has  a  triple  root  modulo 
p ,  we  must  apply  other  techniques  such  as  the  ones  in  Section  6.2. 

Assume  now  that  p  |  d(K)  =  df 2,  hence  that  p  is  ramified.  Then  the  result 
is  as  follows. 

(1)  If  p  |  /,  then  p  is  totally  ramified.  In  other  words,  pl*K  =  P3  where  p  is  a 
prime  ideal  of  degree  1. 

(2)  If  p  |  d  and  p  \  /,  then  p  is  partially  ramified.  In  other  words,  p%k  =  Pip!> 
where  pi  and  p2  are  distinct  prime  ideals  of  degree  1. 

(3)  Furthermore,  if  there  exists  a  p  such  that  p  \  (d,  /),  then  we  must  have 
p  =  3  (and  we  are  in  case  (1),  since  p  |  /). 

See  for  example  [Has]  for  proofs  of  these  results. 


6.5  Computing  the  Class  Group,  Regulator  and 
Fundamental  Units 

In  this  section,  we  shall  give  a  practical  generalization  of  Buchmann’s  sub¬ 
exponential  Algorithm  5.9.2  to  an  arbitrary  number  field.  This  algorithm  com¬ 
putes  the  class  group,  the  regulator  and  also  if  desired  a  system  of  fundamental 
units,  for  a  number  field  whose  discriminant  is  not  too  large.  Although  based 
on  essentially  the  same  principles  as  Algorithm  5.9.2,  we  do  not  claim  that  its 
running  time  is  sub-exponential,  even  assuming  some  reasonable  conjectures. 
On  the  other  hand  it  performs  very  well  in  practice.  The  algorithm  originates 
in  an  unpublished  paper  of  J.  Buchmann,  but  the  present  formulation  is  due 
to  F.  Diaz  y  Diaz,  M.  Olivier  and  myself.  As  almost  all  other  algorithms  in 
this  book,  this  algorithm  has  been  fully  implemented  in  the  author’s  PARI 
package  (see  Appendix  A).  It  is  still  in  an  experimental  state,  hence  many 
refinements  need  to  be  made  to  achieve  optimum  performance. 

We  assume  that  our  number  field  K  is  given  as  usual  as  K  =  Q[0]  where  0 
is  an  algebraic  integer.  Let  T(X )  be  the  minimal  monic  polynomial  of  9.  Let 
n  =  [K  :  Q]  =  rq  +  2f2,  denote  by  a  *  the  complex  embeddings  of  K  ordered 
as  usual,  and  finally  let  uq, . . .  ,un  be  an  integral  basis  of  Zk,  found  using  for 
example  the  round  2  Algorithm  6.1.8. 


6.5.1  Ideal  Reduction 

The  only  notion  that  we  have  not  yet  introduced  and  that  we  will  need  in  an 
essential  way  in  our  algorithm  is  that  of  ideal  reduction. 

Definition  6.5.1.  Let  I  be  a  fractional  ideal  and  a  a  non-zero  element  of  I. 
We  will  say  that  a  is  a  minimum  in  I  if,  for  all  (3  G  I,  we  have 

(Vi  M/?)|  <  Mo)|)  (3  =  0. 
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We  will  say  that  the  ideal  I  is  reduced  if  £(I)  is  a  minimum  in  I,  where 

I  n  Q  =  £{I) Z. 

The  reader  can  check  that  this  definition  of  reduction  coincides  with  the 
definitions  given  for  the  imaginary  and  real  quadratic  case  (see  Exercise  16  of 
Chapter  5). 

Definition  6.5.2.  Let  v  =  (ui)i<i<n  be  a  vector  of  real  numbers  such  that 
iV2+i  =  Vi  for  r\  <  i  <  ri+r2.  We  define  the  u-norm  ||a||w  of  a  by  the  formula 

i= 1 


If  aq , ...  ,an  is  a  Z-basis  for  the  ideal  I,  then  ||  xjaj  llu  defines  a  positive 
definite  quadratic  form  on  I. 

Definition  6.5.3.  We  say  that  a  2,-basis  oq,  . . .  ,an  of  an  ideal  I  is  LLL- 
reduced  along  the  vector  v  if  it  is  LLL-reduced  for  the  quadratic  form  defined 

by  IMIJ. 

Thanks  to  the  LLL  algorithms  seen  in  Section  2.6  we  can  efficiently  LLL- 
reduce  along  v  any  given  basis. 

The  main  point  of  these  definitions  is  the  following. 

Proposition  6.5.4.  If  a  £  I  is  a  (non-zero)  minimum  for  the  quadratic  form 
||a||^,  then  a  is  a  minimum  of  I  in  the  sense  of  Definition  6.5.1  above ,  and 
I /a  is  a  reduced  ideal. 

Proof.  If  (3  e  I  is  such  that  for  alH,  \cri(f3)\  <  \ oi (a) |,  then  clearly  \\(3\\^  <  ||a||£. 
Hence,  since  a  is  a  minimum  non-zero  value  of  the  quadratic  form,  we  must 
have  P  =  0  so  a  is  a  minimum  in  I.  Let  us  show  that  I /a  is  a  reduced  ideal. 
First,  I  claim  that  I /a  fl  Q  =  Z.  Indeed,  if  r  e  Q*,  r  e  I /a  is  equivalent 
to  roc  £  I  and  since  a  is  a  minimum  and  r  is  invariant  under  the  <Tj,  this 
implies  that  |r|  >  1.  Since  1  £  I  fa,  this  proves  my  claim,  hence  l{Ijd)  =  1. 
The  proposition  now  follows  since  a  minimum  in  I  is  clearly  equivalent  to  1 
minimum  in  I /a.  □ 

The  LLL-algorithm  allows  us  to  find  a  small  vector  for  our  quadratic 
form,  corresponding  to  an  a  €  I .  This  a  may  not  be  a  true  minimum,  but 
the  inequalities  proved  in  Chapter  2  show  that  it  will  in  any  case  be  a  small 
vector.  If  we  choose  this  a  instead  of  a  minimum,  the  ideal  I /a  will  not  be 
necessarily  reduced,  but  it  will  be  sufficient  for  our  needs.  For  lack  of  a  better 
term,  we  will  say  that  I /a  is  LLL-reduced  in  the  direction  v. 
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To  summarize,  this  gives  the  following  algorithm  for  reduction. 

Algorithm  6.5.5  (LLL-Reduction  of  an  Ideal  Along  a  Direction  v).  Given  a 
vector  v  as  above  and  an  ideal  I  by  a  Z-basis  a\, . . .  ,an,  this  algorithm  computes 
a  e  I  and  a  new  ideal  J  =  I /a  such  that  the  u-norm  of  a  is  small. 

1.  [Set  up  quadratic  form]  Let 


Qi,j  =  ^2eVkak{ai)ak{aj) 
k=l 

(note  that  these  are  all  real  numbers),  and  let  Q  be  the  quadratic  form  on  W1 
whose  matrix  is  {qij). 

2.  [Apply  LLL]  Using  the  LLL  Algorithm  2.6.3,  compute  an  LLL-reduced  basis  (3i, 
...  ,f3n  of  I  corresponding  to  this  quadratic  form,  and  let  a  <—  Pi. 

3.  [Compute  J]  Output  a  and  the  Z-basis  fii/a  of  the  ideal  J  =  I/a  and  termi¬ 
nate  the  algorithm. 

Remarks. 

(1)  The  ideal  J  is  a  fractional  ideal.  If  desired,  we  can  multiply  it  by  a  suitable 
rational  number  to  make  it  integral  and  primitive. 

(2)  In  practice  the  basis  elements  a*  are  given  in  terms  of  a  fixed  basis  B 
of  K  (for  example  either  a  power  basis  or  an  integral  basis  of  Z k)-  If 
we  compute  once  and  for  all  the  quadratic  form  Qb  attached  to  5,  it  is 
then  easier  to  compute  the  quadratic  form  attached  to  the  ideal  I.  Note 
however  that  this  argument  is  only  valid  for  a  fixed  choice  of  the  vector  v. 


6.5.2  Computing  the  Relation  Matrix 

As  in  the  quadratic  case  we  choose  a  suitable  integer  L  such  that  non-inert 
prime  ideals  of  norm  less  than  or  equal  to  L  generate  the  class  group.  The 
GRH  implies  that  we  can  take  L  =  121n2|D|  where  D  is  the  discriminant  of 
K  (see  [Bach]).  This  is  only  twice  the  special  value  used  for  quadratic  fields. 
However,  if  we  allow  ourselves  to  be  not  completely  rigorous,  we  could  choose 
a  lower  value. 

To  obtain  relations,  we  will  compute  random  products  I  of  powers  of 
prime  ideals.  Let  J  =  I/a  be  an  LLL-reduced  ideal  along  a  certain  direction 
v ,  obtained  using  Algorithm  6.5.5.  If  J  factors  on  a  given  factor  base,  as  in 
the  quadratic  case  we  will  obtain  a  relation  of  the  type  IliPi4  =  a^K-  This 
relation  will  be  stored  in  two  parts.  The  non-Archimedean  information  (xi) 
will  be  stored  as  a  column  of  an  integral  relation  matrix  M.  The  Archimedean 
information  a  will  be  stored  as  an  r\  +  ^-component  column  vector,  by  using 
the  complex  logarithmic  embedding  Lc{a)—  V  defined  in  Section  5.8.4. 
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Note  that,  by  definition,  the  sum  of  the  r\  +  r2  components  of  this  vector  is 
an  integral  multiple  of  2m. 

We  now  give  the  algorithm  which  computes  the  factor  bases  and  the  rela¬ 
tion  matrix. 


Algorithm  6.5.6  (Computation  of  the  Relation  Matrix).  Given  a  number 
field  K  as  above,  this  algorithm  computes  integers  k  and  k2  with  ^  >  fc,  a 
k  x  A:2  integral  relation  matrix  M,  an  ( ri  +  r2)  x  k2  complex  logarithm  matrix 
Me  and  an  Euler  product  z.  These  objects  will  be  needed  in  the  class  group  and 
unit  Algorithm  6.5.9  below.  We  set  ru  <—  n+  7*2  (this  is  equal  to  the  unit  rank 
plus  one).  We  choose  at  will  a  positive  real  number  B\  and  we  set  B2  <—  12. 

1.  [Compute  integral  basis  and  limits]  Using  Algorithm  6.1.8  compute  the  field 
discriminant  D  =  D(K )  and  an  integral  basis  =  1,  ....  u;n.  Set  L\  <— 
B\  In2  |D|,  Z/2  <—  B2  In2  \D\  and  Ls  <—  (4/7T )r2n\fnn  ^/\D\. 

2.  [Compute  small  factor  base]  Set  u  <—  1,  S  <—  0  and  for  each  prime  p  such  that 
p\  D  (i.e.  p  unramified)  do  the  following  until  u  >  Ls.  Let  p%K  =  Ili<i<9 
be  the  prime  ideal  decomposition  of  pZx  obtained  using  Algorithm  6.Z97  For 
each  i  <  g  —  l  such  that  J\f(pi)  <  L2,  set  S  <—  S  U  {pi}  and  u  <—  uM{pi). 
Then  S  will  be  a  set  of  prime  ideals  which  we  call  the  small  factor  base.  Let 
s  be  its  cardinality. 

3.  [Compute  and  store  powers]  For  each  p  e  S  and  each  integer  e  such  that 
0  <  e  <  20,  compute  and  store  an  LLL-reduced  ideal  equivalent  to  pe,  where 
the  reduction  is  done  using  Algorithm  6.5.5  with  v  equal  to  the  zero  vector. 
Note  that  the  Archimedean  information  must  also  be  stored,  using  the  function 
Lc  as  explained  above. 

4.  [Compute  factor  bases  and  Euler  product]  For  all  primes  p  <  L2  compute  the 
prime  ideal  decomposition  of  p%K  using  Algorithm  6.2.9,  and  let  the  large 
factor  base  LFB  be  the  list  of  all  non-inert  prime  ideals  of  norm  less  than  or 
equal  to  L2  (where  if  necessary  we  also  add  the  elements  of  5),  and  let  the 
factor  base  FB  be  the  subset  of  LFB  containing  only  those  primes  of  norm 
less  than  or  equal  to  L\  as  well  as  the  elements  of  S.  Set  k  equal  to  the 
cardinality  of  FB,  and  set  k2  <—  k  +  ru  +  10.  Finally,  using  the  prime  ideal 
decompositions,  compute  the  Euler  product 


n 

P<L  2 


1-1/p 


n(i-i/jv(p))- 

pip 


5.  [Store  trivial  relations]  Set  m  <—  0.  For  each  p  <  L\  such  that  all  the  prime 
ideals  above  p  are  in  FB,  set  m  <—  m  +  1  and  store  the  relation  p7L>K  — 
rii<i<sPi‘  found  in  step  4  as  the  ra-th  column  of  the  matrices  M  and  Me 
as  explained  above. 

6.  [Generate  random  power  products]  Call  Si  the  elements  of  the  small  factor 
base  S.  Let  q  be  the  ideal  number  m  +  1  mod  k  in  FB.  Choose  random 
nonnegative  integers  v4  <  20  for  i  <  s  +  ru,  set  vi+r2  <—  vt  for  s  <  i  <  s  +  ru, 
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compute  the  ideal  I  <—  q  rii<i<s  an^  J  =  I/oc  be  the  ideal  obtained 
by  LLL-reducing  I  along  the  direction  determined  by  the  Vi  for  s  <  i  <  s  +  n 
using  Algorithm  6.5.5.  Note  that  the  S ^  have  been  precomputed  in  step  4. 

7.  [Relation  found?]  Using  Algorithm  4.8.17,  try  to  factor  a  (or  equivalently  the 
ideal  J)  on  the  factor  base  FB.  If  it  factors,  set  to  <—  m  +  1  and  store  the 
relation  /J-1  =  oLk  as  the  m-th  column  of  the  matrices  M  and  Me  as 
explained  above. 

8.  [Enough  relations?]  If  m  <  &2  go  to  step  6. 

9.  [Be  honest]  For  all  prime  ideals  q  in  the  large  factor  base  LFB  and  not  belong¬ 
ing  to  FB,  do  as  follows.  Choose  randomly  integers  u*  as  in  step  6,  compute 

and  let  J=I/a  be  the  ideal  obtained  by  LLL-reducing  I 
along  the  direction  determined  by  the  Vi  for  s  <  s  +  n.  If  all  the  prime  ideals 
dividing  J  belong  to  FB  or  have  been  already  checked  in  this  test,  then  q  is 
OK,  otherwise  choose  other  random  integers  v*  until  q  passes  this  test. 

10.  [Eliminate  spurious  factors]  For  each  ramified  prime  ideal  q  which  belongs 

to  the  factor  base  FB,  check  whether  the  GCD  of  the  coefficients  occurring 
in  the  matrix  M  in  the  row  corresponding  to  q  is  equal  to  1  (this  is  always 
true  if  q  is  unramified).  If  not,  as  in  step  9,  choose  random  v*,  compute 
I  <—  q  rii<i<s  LLL-reduce  along  the  Vi  for  i  >  s  and  see  if  the  resulting 
ideal  factors  on  FB.  If  it  does,  add  the  relation  to  the  matrices  M  and  Me, 
set  &2  &2  +  1,  and  continue  doing  this  until  the  GCD  of  the  coefficients 

occurring  in  the  row  corresponding  to  q  is  equal  to  1. 


Remarks. 


(1)  The  constant  B\  is  usually  chosen  between  0.1  and  0.8,  and  controls  the 
execution  speed  of  the  general  algorithm,  as  in  the  quadratic  case.  On  the 
other  hand,  the  constant  B2  must  be  taken  equal  to  12  according  to  Bach’s 
result.  It  can  be  taken  equal  to  B\  for  maximum  speed,  but  in  this  case, 
the  result  may  not  be  correct  even  under  the  GRH.  This  is  useful  for  long 
searches. 

(2)  As  in  the  quadratic  case,  the  constants  10  and  20  used  in  this  algorithm 
are  quite  arbitrary  but  usually  work. 

(3)  Step  10  of  this  algorithm  was  added  only  after  the  implementation  was 
finished  since  it  was  noticed  that  for  number  fields  of  small  discriminant, 
the  class  number  was  usually  a  multiple  of  the  correct  value  due  to  the 
presence  of  ramified  primes. 

(4)  The  Euler  product  that  is  computed  is  closely  linked  to  h(K)R(K)  since 


h(K)R(K) 

w{K) 


=  2-'-(27r)-rjv/RWlII 

V 


1-1/p 

n(i-i/v(P))’ 

p|  p 


where  the  outer  product  runs  over  all  primes  p  and  the  innermost  product 
runs  over  the  prime  ideals  above  p  (see  Exercise  23). 
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6.5.3  Computing  the  Regulator  and  a  System  of  Fundamental 
Units 

Before  giving  the  complete  algorithm,  we  need  to  explain  how  to  extract  from 
the  Archimedean  information  that  we  have  computed,  both  the  regulator  and 
a  system  of  fundamental  units  of  K. 

After  suitable  column  operations  on  the  matrices  M  and  Me  as  explained 
below  in  Algorithm  6.5.9,  we  will  obtain  a  complex  matrix  C  whose  columns 
correspond  to  the  Archimedean  information  associated  to  zero  exponents, 

i.e.  to  a  relation  of  the  form  Z k  —  oiLk-  In  other  words,  the  columns  are  com¬ 
plex  logarithmic  embeddings  of  units.  As  in  the  real  quadratic  case,  we  can 
obtain  the  regulator  of  the  subgroup  spanned  by  these  units  (which  hopefully 
is  equal  to  the  field  regulator)  by  computing  a  real  GCD  of  (ru  —  1)  x  (ru  —  1) 
sub-determinants  as  follows. 

Algorithm  6.5.7  (Computation  of  the  Regulator  and  Fundamental  Unit 
Matrix).  Given  a  ru  x  r  complex  matrix  C  whose  columns  are  the  complex 
logarithmic  embeddings  of  units,  this  algorithm  computes  the  regulator  R  of  the 
subgroup  spanned  by  these  units  as  well  as  an  ru  x  ( ru  —  1)  complex  matrix  F 
whose  columns  give  a  basis  of  the  lattice  spanned  by  the  columns  of  C.  As  usual 
we  denote  by  Cj  the  columns  of  the  matrix  C  and  we  assume  that  the  real  part 
of  C  is  of  rank  equal  to  ru  —  1. 

1.  [Initialize]  Let  R  <—  0  and  j  <—  ru  —  2. 

2.  [Loop]  Set  j  <—  j  +  1.  If  j  >  r,  let  F  be  the  matrix  formed  by  the  last  ru  —  1 
columns  of  C,  output  R  and  F  and  terminate  the  algorithm. 

3.  [Compute  determinant]  Let  A  be  the  (ru  —  1)  x  ( ru  —  1)  matrix  obtained  by 
extracting  from  C  any  ru  —  1  rows,  columns  j  —  ru  +  2  to  j,  and  taking  the 
real  part.  Let  Ri  <—  det(A).  Using  the  real  GCD  Algorithm  5.9.3,  compute  the 
RGCD  d  of  R  and  Ri  as  well  as  integers  u  and  v  such  that  uR  +  vRi  =  d 
(note  that  Algorithm  5.9.3  does  not  give  u  and  v,  but  it  can  be  easily  extended 
to  do  so,  as  in  Algorithm  1.3.6). 

4.  [Replace]  Set  R  <—  d,  Cj  <—  vCj  +  (— l)ruuCj-ru+i  (where  Co  is  to  be 
understood  as  the  zero  column)  and  go  to  step  2. 

The  proof  of  the  validity  of  this  algorithm  is  immediate  once  we  notice 
that  the  GCD  and  replacement  operations  in  steps  3  and  4  correspond  to 
computing  the  sum  of  two  sub-lattices  of  the  unit  lattice  given  by  two  Z-bases 
differing  by  a  single  element.  The  sign  (-l)ru  is  the  signature  of  the  cyclic 
permutation  that  is  performed.  Note  also  that  the  real  GCD  Algorithm  5.9.3 
may  be  applied  since  by  [Ziml]  and  [Fri]  we  know  that  regulators  of  number 
fields  are  uniformly  bounded  from  below  by  0.2.  □ 

To  compute  the  regulator,  we  have  only  used  the  real  part  of  the  matrix 
C.  We  now  explain  how  the  use  of  the  imaginary  part,  and  more  precisely  of 
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the  matrix  F  output  by  this  algorithm,  allows  us  in  principle  to  compute  a 
system  of  fundamental  units.  Note  that,  by  construction,  the  columns  of  F 
are  the  complex  logarithmic  embeddings  of  a  system  of  fundamental  units  of 
Zx-  However  this  may  be  a  very  badly  skewed  basis  of  units,  hence  the  first 
thing  is  to  compute  a  nice  basis  using  the  LLL  algorithm.  This  leads  to  the 
following  algorithm. 

Algorithm  6.5.8  (Computation  of  a  System  of  Fundamental  Units).  Given 
the  regulator  R  and  the  ru  x  ( ru  —  1)  matrix  F  output  by  Algorithm  6.5.7,  this 
algorithm  computes  a  system  of  fundamental  units,  expressing  them  on  an  integral 
basis  u)i.  We  let  fij  be  the  coefficients  of  F. 

1.  [Build  matrix]  Set  r  <—  ru  —  1.  For  j  =  1 . j  =  r  set  <—  fij  if  *  <r\, 

h,j  +-  fi,j/2  if  ri  <  i  <  ru  and  bitj  <—  fi-r7,j/2  if  ru  <  i  <  n.  Let  B  be  the 
n  x  r  matrix  with  coefficients  b^j. 

2.  [LLL  reduce]  Using  the  LLL  Algorithm  2.6.3  on  the  real  part  of  the  matrix  B, 
compute  a  r  x  r  unimodular  matrix  U  such  that  the  real  part  of  BU  is  LLL- 
reduced.  Let  E  =  (e^j)  be  the  n  x  r  matrix  such  that  eitj  =  exp(6^J),  where 
BU  =  (b'itj).  (Note  that  the  exponential  taken  here  may  overflow  the  possibil¬ 
ities  of  the  implementation,  in  which  case  the  algorithm  must  be  aborted.) 

3.  [Solve  linear  system]  Let  =  (wij)  be  the  nxn  matrix  such  that  Wij  =  crj{ui) 
(where,  as  before,  (a;*)  is  an  integral  basis  of  Zx).  Set  Fu  <—  f l^E. 

4.  [Round]  The  coefficients  of  Fu  should  be  close  to  rational  integers.  If  this  is 
not  the  case,  then  either  the  precision  used  to  make  the  computations  was 
insufficient  or  the  units  are  too  large,  and  the  algorithm  fails.  Otherwise,  round 
all  the  coefficients  of  Fu  to  the  nearest  integer. 

5.  [Check]  Check  that  the  columns  of  Fu  correspond  to  units  and  that  the  usual 
regulator  determinant  constructed  using  the  columns  of  Fu  is  equal  to  R.  If  this 
is  the  case,  output  the  matrix  Fu  and  terminate  the  algorithm  (the  columns  of 
this  matrix  gives  the  coefficients  of  a  system  of  fundamental  units  expressed 
on  the  integral  basis  c <;*).  Otherwise,  output  an  error  message  saying  that  the 
accuracy  is  insufficient  to  compute  the  fundamental  units. 


6.5.4  The  General  Class  Group  and  Unit  Algorithm 

We  are  now  ready  to  give  a  general  algorithm  for  class  group,  regulator  and 
fundamental  unit  computation. 

Algorithm  6.5.9  (Class  Group,  Regulator  and  Units  for  General  Number 
Fields).  Let  K  =  Q[0]  be  a  number  field  of  degree  n  given  by  a  primitive 
algebraic  number  $,  let  T  be  the  minimal  monic  polynomial  of  9.  We  assume  that 
we  have  already  computed  the  signature  (?r,r2)  of  K  using  Algorithm  4.1.11. 
This  algorithm  computes  the  class  number  h(K),  the  class  group  Cl(K),  the 


6.5  Computing  the  Class  Group,  Regulator  and  Fundamental  Units 


359 


order  of  the  subgroup  of  roots  of  unity  w(K),  the  regulator  R(K)  and  a  system 

of  fundamental  units  of  Z#. 

1.  [Compute  relation  matrices  and  Euler  product]  Using  Algorithm  6.5.6,  com¬ 
pute  the  discriminant  D(K),  a  fcxfe2  integral  relation  matrix  M,  a  ru  x 
complex  logarithm  matrix  Me  and  an  Euler  product  z. 

2.  [Compute  roots  of  unity]  Using  Algorithm  4.9.9  compute  the  order  w(K )  of 
the  group  of  roots  of  unity  in  K.  Output  w(K)  and  set 

2  <-  2-ri{27r)-r2w{K)^/\D{K)\  ■ z 
(now  2  should  be  close  to  h(K)R(K)). 

3.  [Simple  HNF]  Perform  a  preliminary  simple  Hermite  reduction  on  the  matrix 
M  as  described  in  the  remarks  after  Algorithm  5.5.2.  All  column  operations 
done  on  the  matrix  M  should  also  be  done  on  the  corresponding  columns  of 
the  matrix  Me-  Denote  by  M'  and  M'c  the  matrices  obtained  in  this  way. 

4.  [Compute  probable  regulator  and  units]  Using  Algorithm  2.7.2,  compute 
the  LLL-reduced  integral  kernel  A  of  M'  as  a  rectangular  matrix,  and  set 
C  <—  MqA.  By  applying  Algorithm  6.5.7  and  if  desired  also  Algorithm  6.5.8, 
compute  a  probable  value  for  the  regulator  R  and  the  corresponding  system 
of  units  which  will  be  fundamental  if  R  is  correct. 

5.  [HNF  reduction]  Using  Algorithm  2.4.8,  compute  the  Hermite  normal  form 
H  =  ( hij )  of  the  matrix  M'  using  modulo  d  techniques,  where  d  can  be  com¬ 
puted  using  standard  Gaussian  elimination  (or  simply  use  Algorithm  2.4.5).  If 
one  of  the  matrices  H  or  C  is  not  of  maximal  rank,  get  10  more  relations 
as  in  steps  6  and  7  of  Algorithm  6.5.6  and  go  to  step  3.  (It  will  not  be  nec¬ 
essary  to  recompute  the  whole  HNF.) 

6.  [Simplify  H]  For  every  i  such  that  hij  =  1,  suppress  row  and  column  i,  and 
let  W  be  the  resulting  matrix. 

7.  [Finished?]  Let  h  <—  det(FU)  (i.e.  the  product  of  the  diagonal  elements).  If 
hR  >  z\/2,  get  10  more  relations  in  steps  6  and  7  of  Algorithm  6.5.6  and  go 
to  step  3  (same  remark  as  above).  Otherwise,  output  h  as  the  class  number,  R 
as  the  regulator,  and  the  system  of  fundamental  units  if  it  has  been  computed. 

8.  [Class  group]  Compute  the  Smith  normal  form  of  W  using  Algorithm  2.4.14. 
Output  those  among  the  diagonal  elements  di  which  are  greater  than  1  as 
the  invariants  of  the  class  group  (i.e.  Cl(K)  =  QZ/diL)  and  terminate  the 
algorithm. 

Remarks. 

(1)  Most  implementation  remarks  given  after  Algorithm  5.5.2  also  apply  here. 
In  particular  the  correctness  of  the  results  given  by  this  algorithm  depends 
on  the  validity  of  GRH  and  the  constant  B2  =  12  chosen  in  Algorithm 
6.5.6.  To  speed  up  this  algorithm,  one  can  take  B2  to  be  a  much  lower 
value,  and  practice  shows  that  this  works  well,  but  the  results  are  not 
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anymore  guaranteed  to  be  correct  even  under  GRH  until  someone  improves 
Bach’s  bounds.  r 

(2)  The  randomization  of  the  direction  of  ideal  reduction  performed  in  step  6 
of  Algorithm  6.5.6  is  absolutely  essential  for  the  correct  performance  of  the 
algorithm.  Intuitively  the  first  s  values  of  V{  correspond  to  randomization 
of  the  non- Archimedean  components,  while  the  last  ru  values  randomize 
the  Archimedean  components.  If  the  reduction  was  always  done  using  the 
zero  vector  for  instance,  we  would  almost  never  obtain  a  relation  matrix 
giving  us  the  correct  class  number  and  regulator. 

(3)  An  important  speedup  can  be  obtained  by  generating  some  relations  in 
a  completely  different  way.  Assume  that  we  can  generate  many  elements 
a  6  "Lk  of  reasonably  small  norm.  Then  it  is  reasonable  to  expect  that 
olLk  will  factor  on  the  factor  base  FB,  thus  giving  us  a  relation.  To  obtain 
elements  of  small  norm  we  can  use  the  Fincke-Pohst  Algorithm  2.7.7  on 
the  quadratic  form  ||o:||o  defined  on  the  lattice  Z k,  where  0  denotes  the 
zero  vector.  If  ||o:|jo  <  nB2^n  then  the  inequality  between  arithmetic  and 
geometric  mean  easily  shows  that  |Ar(a:)|  <  B,  hence  this  indeed  allows 
us  to  find  elements  of  small  norm.  The  reader  is  warned  however  that  the 
relations  that  may  be  obtained  in  this  way  will  in  general  not  be  random 
and  may  generate  sub-lattices  of  the  correct  lattice. 

(4)  It  is  often  useful,  not  only  to  compute  the  class  group  as  an  abstract 
group  Cl(K )  =  0Z/diZ,  but  to  compute  explicitly  a  generating  set  of 
ideal  classes  gt  such  that  gi  is  of  order  d*.  This  can  easily  be  done  by 
keeping  track  of  the  Smith  reduction  matrices  in  the  above  algorithm. 


6.5.5  The  Principal  ideal  Problem 

As  in  the  real  quadratic  case,  we  can  now  solve  the  principal  ideal  problem 
for  general  number  fields.  In  other  words,  given  an  ideal  I  of  Z#,  determine 
whether  I  is  a  principal  ideal,  and  if  this  is  the  case,  find  an  a  e  K  such  that 
I  =  olLk- 

To  do  this,  we  need  to  keep  some  information  that  was  discarded  in  Algo¬ 
rithm  6.5.9.  More  precisely,  we  must  keep  better  track  of  the  Hermite  reduction 
which  is  performed,  including  the  simple  Hermite  reduction  stage.  If  we  do  so, 
we  will  have  kept  a  matrix  M"  of  relations  which  will  be  of  the  form 


M" 


0  W  B\ 
0  0  IV 


where  0  denotes  the  zero  matrix,  I  is  some  identity  matrix  and  W  is  the 
square  matrix  in  Hermite  normal  form  computed  in  Step  6  of  Algorithm  6.5.9. 
Together  with  this  matrix,  we  must  also  compute  the  corresponding  complex 
matrix  Mq,  so  that  each  column  of  M"  and  Mq  still  corresponds  to  a  relation. 
Finally,  in  Step  8  of  Algorithm  6.5.9,  we  also  keep  the  unimodular  matrix  U 
such  that  D  =  UWV  is  in  Smith  normal  form  (it  is  not  necessary  to  keep  the 
unimodular  matrix  V ). 


6.5  Computing  the  Class  Group,  Regulator  and  Fundamental  Units 
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Now  given  an  ideal  7  we  can  first  compute  the  norm  of  7.  If  it  is  small,  then 
7  will  factor  on  the  factor  base  FB  chosen  in  Algorithm  6.5.6.  Otherwise,  as  in 
Algorithm  6.5.6,  we  choose  random  exponents  Vi  and  compute  7  rii<i<s  ^ 
and  reduce  this  ideal  (along  the  direction  0  for  instance,  here  it  does  not 
matter).  Since  this  reduced  ideal  has  a  reasonably  small  norm,  we  may  hope 
to  factor  it  on  our  factor  base,  thus  expressing  7  in  the  form  I  =  a  ni<i<fc  Pf4  > 
where  we  denote  by  pi  the  elements  of  FB. 

Once  such  an  equality  is  obtained,  we  proceed  as  follows.  Since  the  columns 
of  M"  generate  the  lattice  of  relations  among  the  pi  in  the  class  group,  it  is 
clear  that  7  is  a  principal  ideal  if  and  only  if  the  column  vector  of  the  Xi  is 
in  the  image  of  M" .  Let  r  (resp.  c)  be  the  number  of  rows  (resp.  columns)  of 
the  matrix  B  occuring  in  M"  as  described  above,  and  let  c\  be  the  number 
of  initial  columns  of  zeros  in  M" .  Then  if  X  (resp.  Y)  is  the  column  vector 
of  the  Xi  for  1  <  i  <  r  (resp.  r  <  i  <  k),  then  7  is  a  principal  ideal  if  and 
only  if  there  exists  an  integral  column  vector  Z  such  that  WZ  +  BY  =  X. 
This  is  equivalent  to  U~1DV~1Z  =  X  —  BY,  and  since  V  is  unimodular  this 
is  equivalent  to  the  existence  of  an  integral  column  vector  Z\  such  that 

DZX  =  U{X- BY). 

Since  D  is  a  diagonal  matrix,  this  means  that  the  j-th  element  of  U( X  —  BY) 
must  be  divisible  by  the  j-th  diagonal  element  of  D. 

If  7  is  found  in  this  way  to  be  a  principal  ideal,  the  use  of  the  complex 
matrix  Mq  allows  us  to  find  a  such  that  I  =  clTLk- 
This  gives  the  following  algorithm. 

Algorithm  6.5.10  (Principal  Ideal  Testing).  Given  an  ideal  7  of  Z#,  this 
algorithm  tests  whether  7  is  a  principal  ideal,  and  if  it  is,  computes  an  a  e  K 
such  that  7  =  olLk ■  We  assume  computed  the  matrices  M"  and  Mq  (and  hence 
the  matrices  W  and  B),  as  well  as  the  unimodular  matrices  U  and  V  and  the 
diagonal  matrix  D  such  that  UWV  =  D  is  in  Smith  normal  form,  as  explained 
above.  We  keep  the  notations  of  Algorithm  6.5.6. 

1.  [Reduce  to  primitive]  If  7  is  not  a  primitive  integral  ideal,  compute  a  rational 
number  a  such  that  I /a  is  primitive  integral,  and  set  7  <—  7/o. 

2.  [Small  norm?]  If  ^(7)  is  divisible  only  by  prime  numbers  below  the  prime  ideals 
in  the  factor  base  FB  (i.e.  less  than  or  equal  to  Li)  set  Vi  <—  0  for  i  <  s,  j3  <—  a 
and  go  to  step  4. 

3.  [Generate  random  relations]  Choose  random  nonnegative  integers  u*  <  20  for 
i  <  s,  compute  the  ideal  7i  <—  7ni<i<s  and  let  J  =  Ii/-y  be  the  ideal 
obtained  by  LLL-reducing  7i  along  the  direction  of  the  zero  vector.  If  A f(J)  is 
divisible  only  by  the  prime  numbers  less  than  equal  to  L\,  set  7  <—  J,  (3  <—  <17 
and  go  to  step  4.  Otherwise,  go  to  step  3. 

4.  [Factor  7]  Using  Algorithm  4.8.17,  factor  7  on  the  factor  base  FB.  Let  7  = 
rii<t<fc F?4,  Let  X  (resp.  V)  be  the  column  vector  of  the  Xi  —  Vi  for  i  <  r 
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(resp.  i  >  r),  where  r  is  the  number  of  rows  of  the  matrix  B,  as  above,  and 
where  we  set  Vi  =  0  for  i  >  s. 

5.  [Check  if  principal]  Let  Z  <—  D~1U(X  —  BY)  (since  D  is  a  diagonal  matrix, 
no  matrix  inverse  must  be  computed  here).  If  some  entry  of  Z  is  not  integral, 
output  a  message  saying  that  the  ideal  I  is  not  a  principal  ideal  and  terminate 
the  algorithm. 

6.  [Use  Archimedean  information]  Let  A  be  the  (ci  +  fc)-column  vector  whose  first 
ci  elements  are  zero,  whose  next  r  elements  are  the  elements  of  Z,  and  whose 
last  k  —  r  elements  are  the  elements  of  Y.  Let  Ac  =  (a»)i<i<r„  <—  M>£A. 

7.  [Restore  correct  information]  Set  s  <—  (\nJ\f(I))/n,  and  let  A'  =  (fli)i<i<n  be 
defined  by  a-  <—  exp(s+ai)  if  i  <  ri,  a-  <—  exp(s  +  (ai/2))  if  r\  <i  <ru  and 
a[  <—  exp(s+(ai_r2/2))  if  ru  <  i  <  n.  (As  in  Algorithm  6.5.8,  the  exponential 
which  is  computed  here  may  overflow  the  possibilities  of  the  implementation, 
in  which  case  the  algorithm  must  be  aborted.) 

8.  [Round]  Set  A"  <—  QrlA' ,  where  fi  =  0j(u)i)  as  in  Algorithm  6.5.8.  The 
coefficients  of  A"  must  be  close  to  rational  integers.  If  this  is  not  the  case, 
then  either  the  precision  used  to  make  the  computation  was  insufficient  or  the 
desired  a  is  too  large.  Otherwise,  round  the  coefficients  of  A"  to  the  nearest 
integer. 

9.  [Terminate]  Let  a'  be  the  element  of  Z k  whose  coordinates  in  the  integral 
basis  are  given  by  the  vector  A" .  Set  a  <—  Pa'  (product  computed  in  K ).  If 
I  ^  olLk,  output  an  error  message  stating  that  the  accuracy  is  not  sufficient 
to  compute  a.  Otherwise,  output  a  and  terminate  the  algorithm. 

Note  that,  since  we  chose  the  complex  logarithmic  embedding  Lc{oi)  — 
in(M\a))  y  ag  dggjjgd  Section  5.8.4,  we  must  adjust  the  components  by 
s  =  (\nJ\f(I))/n  before  computing  the  exponential  in  Step  7. 

Remark.  It  is  often  useful  in  step  5  to  give  more  information  than  just  the 
negative  information  that  I  is  not  a  principal  ideal.  Indeed,  if  as  suggested  in 
Remark  (4)  after  Algorithm  6.5.9,  the  explicit  generators  gi  of  order  di  of  the 
class  group  Cl(K )  have  been  computed,  we  can  easily  compute  a  and  fcj  such 
that  I  =  a  Hi  9^  and  0  <  ki  <  di.  The  necessary  modifications  to  the  above 
algorithm  are  easy  and  left  to  the  reader. 


6.6  Exercises  for  Chapter  6 


l. 


By  Theorem  6.1.4,  Z[0]+  (U (6) /p)Z[6]  is  an  order,  hence  a  ring.  Clearly  the  only 
non-trivial  fact  to  check  about  this  is  that  (U(8)/p)2  is  still  in  this  order.  Using 
the  notations  of  Theorem  6.1.4,  show  how  to  compute  polynomials  A  and  B  in 
Z[X\  such  that 


U(0)2 

p2 
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2.  Compute  the  maximal  order  of  pure  cubic  fields  using  only  Dedekind’s  criterion 
(Theorem  6.1.4)  instead  of  the  Pohst-Zassenhaus  theorem. 

3.  (F.  Diaz  y  Diaz.)  With  the  notations  of  Theorem  6.1.4,  show  that  a  restatement 
of  the  Dedekind  criterion  is  the  following.  Let  u(X )  be  the  remainder  of  the 
Euclidean  division  of  T(X)  by  U(X).  We  have  evidently  r*  G  pZ[X].  Set  di  —  1 
if  ei  >  2  and  ri  G  p2Z[X],  d*  =  0  otherwise.  Then  in  (3)  we  can  take  U (X)  = 
ILci^r-*-  In  particular,  Z[0]  is  p-maximal  if  and  only  if  ri  £  pzZ[X]  for 
every  i  such  that  e<  >  2. 

4.  Let  O  be  an  order  in  a  number  field  K  and  let  p  be  a  prime  number.  Show  that 
O  is  p-maximal  if  and  only  if  every  ideal  pi  of  O  which  lies  above  p  is  invertible 
in  O. 

5.  Prove  Proposition  6.2.1  by  first  proving  the  formula  for  a”1  given  in  the  text. 

6.  Given  a  finite  separable  algebra  A  over  Fp  isomorphic  to  a  product  of  k  fields 
Ai,  compute  the  probability  that  a  random  element  x  of  A  is  a  generator  of  A 
in  terms  of  the  dimensions  di  of  the  Ai  (hint:  use  Exercise  13  of  Chapter  3) . 

7.  Let  m  and  n  be  distinct  squarefree  (positive  or  negative)  integers  different  from 
1.  Compute  an  integral  basis  for  the  quartic  field  K  =  Q(>/n,  y/m).  Find  also 
the  explicit  decomposition  of  prime  numbers  in  K. 

8.  (H.  W.  Lenstra) 

a)  Let  A  be  a  separable  algebra  of  degree  n  over  Fp  (for  example  A  —  O/Hj 
in  the  notation  of  Section  6.2).  Then  A  is  isomorphic  to  a  product  of  fields 
K,  and  let  Xm  be  the  number  of  such  fields  which  are  of  degree  m  over  Fp  (if 
A  =  O/Hj,  then  Xm  is  the  number  of  prime  ideals  of  O  of  degree  m  dividing 
Hj ) .  Show  that  for  all  d  such  that  1  <  d  <  n  one  has 

^  gcd(d,  m)xm  =  dimFp (ker (crd  -  1)), 

l<m<n 

where  a  denotes  the  Frobenius  homomorphism  x  xp  from  A  to  A. 

b)  Compute  explicitly  the  inverse  of  the  matrix  Mn  =  (gcd(i,j))i<ij<n  and 
give  an  algorithm  which  computes  the  local  Euler  factor 

ID -"err’ 

p|p 

without  splitting  explicitly  the  Hj  of  Section  6.2. 

9.  Using  the  ideas  used  in  decomposing  prime  numbers  into  a  product  of  prime 
ideals,  write  a  general  algorithm  for  factoring  polynomials  over  Qp.  You  may 
assume  that  the  coefficients  are  known  to  any  necessary  accuracy  (for  example 
that  they  are  in  Q),  and  that  the  required  p-adic  precision  for  the  result  is 
sufficiently  high.  (Hint:  If  K  =  Q[0]  with  T{6)  =  0  and  if  pTLic  =  IliPi4’ 
consider  the  characteristic  polynomial  of  the  map  multiplication  by  6  in  the 
Z/pfcZ-module  Z k/P^.) 

10.  (Dedekind)  Let  K  =  Q(0)  be  the  cubic  field  defined  by  the  polynomial 
P(X)  =  X3  +  X2-2X  +  8. 

a)  Compute  the  discriminant  of  P(X). 
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b)  Show  that  (1, 9,  (9  +  92)/2)  is  an  integral  basis  of  Z k  and  that  the  dis¬ 
criminant  of  AT  is  equal  to  —503. 

c)  Using  Algorithm  6.2.9  show  that  the  prime  2  is  totally  split  in  K. 

d)  Conclude  from  Theorem  4.8.13  that  2  is  an  inessential  discriminantal 
divisor,  i.e.  that  it  divides  the  index  [Z k  •  Z[a]]  for  any  a  €  Z je¬ 

ll.  So  as  to  avoid  ideal  multiplication  and  division,  implement  the  idea  given  in 

the  remark  after  Algorithm  6.2.9,  and  compare  the  efficiency  of  this  modified 
algorithm  with  Algorithm  6.2.9. 

12.  Compute  the  Galois  group  of  the  fields  generated  by  the  polynomials  X 3  —  2, 
X3  -  X2  -  2X  +  1  and  X4  -  10X2  +  1. 

13.  Compute  the  accuracy  needed  for  the  roots  of  T  so  that  the  rounding  procedures 
used  in  computing  the  resolvents  in  all  the  Galois  group  finding  algorithms  given 
in  the  text  be  correct. 

14.  Implement  the  Galois  group  algorithms  and  check  your  implementation  with  the 
list  of  37  polynomials  given  at  the  end  of  Section  6.3. 

15.  a)  Using  Proposition  4.5.3,  give  an  algorithm  which  determines  whether  or 
not  a  number  field  K  is  Galois  over  Q  (without  explicitly  computing  its  Galois 
group). 

b)  Using  the  methods  of  Section  4.5  write  an  algorithm  which  finds  explicitly 
the  conjugates  of  an  element  of  a  number  field  K  belonging  to  K.  The  correctness 
of  the  results  given  by  your  algorithm  should  not  depend  on  approximations, 
that  is  once  a  tentative  formula  has  been  found  it  must  be  checked  exactly.  Note 
that  this  algorithm  may  allow  to  compute  the  Galois  group  of  AT  if  AT  is  Galois 
over  Q,  even  when  the  degree  of  K  is  larger  than  7. 

16.  Determine  the  decomposition  of  prime  numbers  dividing  the  index  in  cyclic  cubic 
fields  by  using  the  method  of  Algorithm  6.2.9.  (Note:  if  the  reader  wants  to  find 
also  the  explicit  decomposition  of  prime  numbers  not  dividing  the  index,  which 
is  given  by  Theorem  4.8.13,  he  will  first  need  to  solve  Exercise  28  of  Chapter  1.) 

17.  Show  that  the  polynomials  P(X)  given  in  Theorem  6.4.6  (1)  and  (2)  are  irre¬ 
ducible  in  Q[X]. 

18.  Complete  the  proof  of  Theorem  6.4.6  (3)  in  the  case  where  e  is  equal  to  9  times 
a  product  of  t  —  1  primes  congruent  to  1  modulo  3. 

19.  Check  that  the  fields  defined  in  Theorem  6.4.6  (2)  are  not  isomorphic  for  distinct 
pairs  (e,  u)  (the  proof  was  given  explicitly  in  the  text  only  for  case  (1)). 

20.  Generalize  the  formulas  and  results  of  Section  6.4.2  to  cyclic  quartic  fields,  re¬ 
placing  Q(C)  by  Q(i).  (Hint:  start  by  showing  that  such  a  field  has  a  unique 
quadratic  subfield,  which  is  real.) 

21.  Using  the  notations  of  Theorem  6.4.6,  find  the  minimal  equation  of  a  =  ( a(9 )  — 
9)/ 3,  and  deduce  from  this  another  complete  parametrization  of  cyclic  cubic 
fields. 

22.  Let  AT  be  a  cubic  field. 

a)  Show  that  there  exists  a  6  €  Z k  and  a,  b  and  c  in  Z  such  (1,9,  (92  +a9  + 
b)/c )  is  an  integral  basis,  and  give  an  algorithm  for  finding  9,  a,  b  and  c. 

b)  Such  a  9  being  found,  show  that  there  exists  a  k  G  Z  such  that  if  we  set 
u )  =  9  + k,  then  (1,  u>,  (a ;2  +  a2u>)/az)  is  an  integral  basis  of  Z k  for  some  integers 
a  2  and  <23. 
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c)  Deduce  from  this  that  for  any  cubic  field  K  there  exists  a  G  K  which  is 
not  necessarily  an  algebraic  integer  such  that  Z k  =  Z[a]  in  the  sense  of  Exercise 
15  of  Chapter  4. 

d)  Generalize  this  result  to  the  case  of  an  arbitrary  order  in  a  cubic  field  K 
by  allowing  the  polynomial  used  in  Exercise  15  of  Chapter  4  to  have  a  content 
larger  than  1. 

23.  Prove  that,  as  claimed  in  the  text,  Theorem  4.9.12  (4)  implies  the  formula 


h(K)R(K) 

w(K) 


p 


i-t/p 

n(i-i/v(p)r 

pi  p 


24.  Using  Algorithm  6.5.9  compute  the  class  group,  the  regulator  and  a  system  of 
fundamental  units  for  the  number  fields  defined  by  the  polynomials  T{X )  = 
X4  4-  6,  T(X)  =  X4  —  3X  +  5  and  T(X)  =  X4  —  3X  —  5. 

25.  Compute  the  different  of  pure  cubic  fields  and  of  cyclic  cubic  fields  using  Propo¬ 
sition  4.8.19  and  Algorithm  4.8.21. 

26.  Let  (w»)i <i<n  be  an  integral  basis  for  a  number  field  K  of  degree  n  such  that 
u)n  =  1,  and  set  U  =  Tt^/q (wj)/n.  Consider  the  lattice  Zn_1  together  with  the 
quadratic  form 


n 

«(*>=£ 


k=  1 


Ok 


yt  xi(u>i—ti) 


l<i<n-l 


a)  Show  that  the  determinant  of  this  lattice  is  equal  to  \/\d{K)\/n. 

b)  Setting  8  =  ~  Xi*il  Prove  Hunter’s  Theorem  6.4.2. 

27.  Let  m(X)  =  mi(A')  •  •  -nthiX)  be  the  decomposition  of  m(X)  obtained  in  step 
13  of  Algorithm  6.2.9.  For  1  <  r  <  k,  let  eT  be  a  lift  to  O  of  mr(a),  and  set 
ffr  —  H  +  erO.  Show  that  H  =  Hi  Hr,  and  hence  that  steps  14  and  15  of 
Algorithm  6.2.9  are  valid.  (Note:  the  er  are  not  orthogonal  idempotents.) 


Chapter  7 

Introduction  to  Elliptic  Curves 


7.1  Basic  Definitions 

7.1.1  Introduction 

The  aim  of  this  chapter  is  to  give  a  brief  survey  of  results,  essentially  without 
proofs,  about  elliptic  curves,  complex  multiplication  and  their  relations  to 
class  groups  of  imaginary  quadratic  fields.  A  few  algorithms  will  be  given  (in 
Section  7.4,  so  as  not  to  interrupt  the  flow  of  the  presentation),  but,  unlike 
other  chapters,  the  main  emphasis  will  be  on  the  theory  (some  of  which  will 
be  needed  in  the  next  chapters).  We  also  describe  the  superb  landscape  that  is 
emerging  in  this  theory,  although  much  remains  conjectural.  It  is  worth  noting 
that  many  of  the  recent  advances  on  the  subject  (in  particular  the  Birch  and 
Swinnerton-Dyer  conjecture)  were  direct  consequences  of  number-theoretical 
experiments.  This  lends  further  support  to  the  claim  that  number  theory,  even 
in  its  sophisticated  areas,  is  an  experimental  as  well  as  a  theoretical  science. 

As  elsewhere  this  book,  we  have  tried  to  keep  the  exposition  as  self- 
contained  as  possible.  However,  for  mastering  this  information,  it  would  be 
useful  if  the  reader  had  some  knowledge  of  complex  variables  and  basic  alge¬ 
braic  geometry.  Nonetheless,  the  material  needed  for  the  applications  in  the 
later  chapters  is  fully  described  here. 

As  suggestions  for  further  reading,  I  heartily  recommend  Silverman’s 
books  [Sil]  and  [Sil3],  as  well  as  [Cas],  [Hus],  [Ire-Ros],  [Lang3]  and  [Shi]. 
Finally,  the  algorithms  and  tables  contained  in  [LN476]  (commonly  called 
Antwerp  IV)  and  [Cre]  are  invaluable. 

7.1.2  Elliptic  Integrals  and  Elliptic  Functions 

Historically,  the  word  elliptic  (in  the  modern  sense)  came  from  the  theory  of 
elliptic  integrals,  which  occur  in  many  problems,  for  example  in  the  compu¬ 
tation  of  the  length  of  an  arc  of  an  ellipse  (whence  the  name),  or  in  physical 
problems  such  as  the  movement  of  a  pendulum.  Such  integrals  are  of  the  form 

J  R(x,y)  dx, 

where  R(x ,  y)  is  a  rational  function  in  x  and  y,  and  y2  is  a  polynomial  in  x  of 
degree  3  or  4  having  no  multiple  root.  It  is  not  our  purpose  here  to  explain  the 
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theory  of  these  integrals  (for  this  see  e.g.  [W-W],  Ch.  XXII).  They  have  served 
as  a  motivation  for  the  theory  of  elliptic  functions ,  developed  in  particular  by 
Abel,  Jacobi  and  Weierstrafi. 

Elliptic  functions  can  be  defined  as  inverse  functions  of  elliptic  integrals, 
but  the  main  property  that  interests  us  here  is  that  these  functions  f(x )  are 
doubly  periodic.  More  precisely  we  have: 

Definition  7.1.1.  An  elliptic  function  is  a  meromorphic  function  f(x)  on 
the  whole  complex  plane ,  which  is  doubly  periodic ,  i.e.  such  that  there  exist 
complex  numbers  uq  and  u)2  such  that  u\/u2  ^  R  and  for  all  x  which  is  not  a 
pole,  f(x  +  uq)  =  f(x  +  w2)  =  /(*) • 

If 

L  =  {mwi  +  nuj2\m,  n  G  Z} 

is  the  lattice  generated  by  uq  and  u>2,  it  is  clear  that  /  is  elliptic  if  and  only 
if  f(x  +  u)  =  f(x)  for  all  x  €  C  and  all  u)  G  L.  The  lattice  L  is  called  the 
period  lattice  of  /.  It  is  clear  that  every  element  of  C  is  equivalent  modulo 
a  translation  by  an  element  of  L  to  a  unique  element  of  the  set  F  =  {xu)\  + 
yu 2,  0  <  x,y  <  1}.  Such  a  set  will  be  called  a  fundamental  domain  for  C/L. 
Standard  residue  calculations  immediately  show  the  following  properties: 

Theorem  7.1.2.  Let  f(x)  be  an  elliptic  function  with  period  lattice  L,  let 
{zi\  be  the  set  of  zeros  and  poles  of  f  in  a  fundamental  domain  for  C/L,  and 
Ui  be  the  order  of  f  at  Zi  (n%  >  0  when  Zi  is  a  zero,  n*  <  0  */  Zi  is  a  pole). 
Then 

(1)  The  sum  of  the  residues  of  f  in  a  fundamental  domain  is  equal  to  0. 

(2)  Ylini  =  in  other  words  f  has  as  many  zeros  as  poles  (counted  with 
multiplicity). 

(3)  If  f  is  non- constant,  counting  multiplicity,  f  must  have  at  least  2  poles 
(and  hence  2  zeros)  in  a  fundamental  domain. 

(4)  Ylinizi  e  -k*  Acte  that  this  makes  sense  since  Zi  is  defined  modulo  L. 

Note  that  the  existence  of  non-constant  elliptic  functions  is  not  a  priori 
obvious  from  Definition  7.1.1.  In  fact,  we  have  the  following  general  theorem, 
due  to  Abel  and  Jacobi: 

Theorem  7.1.3.  Assume  that  z^  and  satisfy  the  above  properties.  Then 
there  exists  an  elliptic  function  f  with  zeros  and  poles  at  Zi  of  order  ni. 

The  simplest  construction  of  non-constant  elliptic  functions  is  due  to 
Weierstrafi.  One  defines 

p(z)  =^2  +  S  ((z  +  u)2 

u£L\{ 0}  ^  ;  7 
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and  one  easily  checks  that  this  is  an  absolutely  convergent  series  which  de¬ 
fines  an  elliptic  function  with  a  double  pole  at  0.  Since  non-constant  elliptic 
functions  must  have  poles,  it  is  then  a  simple  matter  to  check  that  if  we  define 


92  =  60  L,  ^4  and  93  =  140  ^ 

u>EZ/\-(0}  cuEZ/X-fO}- 

then  p(z)  satisfies  the  following  differential  equation: 

p'2  =  4 p3  -  g2p  -  g3  • 


In  more  geometric  terms,  one  can  say  that  the  map 

(  ( p{z )  :  p'{z)  :  1)  for  z  £  L 
\  (0  :  1  :  0)  for  z  £  L 

from  C  to  the  projective  complex  plane  gives  an  isomorphism  between  the 
torus  C/L  and  the  projective  algebraic  curve  y2t  =  4z3  —  g2xt2  —  ^t3.  This 
is  in  fact  a  special  case  of  a  general  theorem  of  Riemann  which  states  that  all 
compact  Riemann  surfaces  are  algebraic.  Note  that  it  is  easy  to  prove  that 
the  field  of  elliptic  functions  is  generated  by  p  and  p'  subject  to  the  above 
algebraic  relation. 

Since  C/L  is  non-singular,  the  corresponding  algebraic  curve  must  also  be 
non-singular,  and  this  is  equivalent  to  saying  that  the  discriminant 

A  =  16(<?2  -  27flf ) 

of  the  cubic  polynomial  is  non-zero.  This  leads  directly  to  the  definition  of 
elliptic  curves. 


7.1.3  Elliptic  Curves  over  a  Field 

From  the  preceding  section,  we  see  that  there  are  at  least  two  ways  to  gen¬ 
eralize  the  above  concepts  to  an  arbitrary  field:  we  could  define  an  elliptic 
curve  as  a  curve  of  genus  1  or  as  a  non-singular  plane  cubic  curve.  Luckily, 
the  Riemann-Roch  theorem  shows  that  these  two  definitions  are  equivalent, 
hence  we  set: 

Definition  7.1.4.  Let  K  be  afield.  An  elliptic  curve  over  K  is  a  non-singular 
projective  plane  cubic  curve  E  together  with  a  point  with  coordinates  in  K. 
The  (non-empty)  set  of  projective  points  which  are  on  the  curve  and  with 
coordinates  in  K  will  be  called  the  set  of  K -rational  points  of  E  and  denoted 
E(K). 

Up  to  a  suitable  birational  transformation,  it  is  a  simple  matter  to  check 
that  such  a  curve  can  always  be  given  by  an  equation  of  the  following  (affine) 
type: 
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y 2  +  a\xy  +  a3y  =  x3  +  a2X2  +  a^x  +  ae, 

the  point  defined  over  K  being  the  (unique)  point  at  infinity,  and  hence  this 
can  be  taken  as  an  alternative  definition  of  an  elliptic  curve  (see  Algorithm 
7.4.10  for  the  explicit  formulas  for  the  transformation).  This  will  be  called  a 
(generalized)  Weierstrafi  equation  for  the  curve. 

Note  that  this  equation  is  not  unique.  Over  certain  number  fields  K  such 
as  Q,  it  can  be  shown  however  that  there  exists  an  equation  which  is  minimal, 
in  a  well  defined  sense.  We  will  call  it  the  minimal  Weierstrafi  equation  of  the 
curve.  Note  that  such  a  minimal  equation  does  not  necessarily  exist  for  any 
number  field  K.  For  example,  it  can  be  shown  (see  [Sil],  page  226)  that  the 
elliptic  curve  y2  =  x3  + 125  has  no  minimal  Weierstrafi  equation  over  the  field 

Q(v^io). 


Theorem  7.1.5.  An  elliptic  curve  over  C  has  the  form  C/L  where  L  is 
a  lattice.  In  other  words,  if  </2  and  93  are  any  complex  numbers  such  that 
<72  —  27<?3  ^  0,  then  there  exist  uj\  and  u>2  with  lm(ui/u2)  >  0  and  g2  = 
60E(m,n)#(o,o)(mwi  +  naj2)~4,  9s  =  +  nu2)~6. 


A  fundamental  property  of  elliptic  curves  is  that  they  are  commutative 
algebraic  groups.  This  is  true  over  any  base  field.  Over  C  this  follows  imme¬ 
diately  from  Theorem  7.1.5.  The  group  law  is  then  simply  the  quotient  group 
law  of  C  by  L.  On  the  other  hand,  it  is  not  difficult  to  prove  the  addition 
theorem  for  the  Weierstrafi  p  function,  given  by: 


■  if2i=22- 


From  this  and  the  isomorphism  given  by  the  map  z  {p{z),p'(z)),  one 
obtains  immediately: 


Proposition  7.1.6.  Let  y2  =  4a:3  —  g2X  —  g$  be  the  equation  of  an  elliptic 
curve.  The  neutral  element  for  the  group  law  is  the  point  at  infinity  (0  :  1:0). 
The  inverse  of  a  point  (xi,yi)  is  the  point  (xi,—yi)  i.e.  the  symmetric  point 
with  respect  to  the  x-axis.  Finally,  if  Pi  =  {x\,y{)  and  P2  =  (^2,2/2)  are 
two  non-opposite  points  on  the  curve,  their  sum  P3  =(£3,2/3)  is  given  by  the 
following  formulas.  Set 


Vi-Vi 
£1  -  £2  ’ 
12  £1— g2 
2yi 


A  7^2; 


ifPi=P2- 


Then 


£3  =  — £1  —  £2  +  m2/4  , 


93  =  —yi  ~  m(x3  -  £1) . 
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It  is  easy  to  see  that  this  theorem  enables  us  to  define  an  addition  law  on 
an  elliptic  curve  over  any  base  field  of  characteristic  zero,  and  in  fact  in  any 
characteristic  different  from  2  and  3.  Furthermore,  it  can  be  checked  that  this 
indeed  defines  a  group  law. 

More  generally  one  can  define  such  a  law  over  any  field,  in  the  following 
way. 


Proposition  7.1.7.  Let 

y 2  +  a\xy  +  a3y  =  x3  +  a,2X 2  +  a^x  + 


be  the  equation  of  an  elliptic  curve  defined  over  an  arbitrary  base  field.  Define 
the  neutral  element  as  the  point  at  infinity  (0:1:0),  the  opposite  of  a 
point  ( x\,yi )  as  the  point  {xi,—yi  —  aiXi  —  a3).  Finally,  if  Pi  =  (xi,2/i) 
and  P2  =  (2:2, 2/2)  are  two  non-opposite  points  on  the  curve ,  define  their  sum 
P3  =  (^3,2/3)  by  the  following.  Set 


m  = 


2/i  —  2/2 
Xl  —  X2  ’ 


3a:i  +  202^1  +  a4  —  Ql2/1 
22/1  +  aiXi  +  a3 


ifPi^P2] 
if  Pi  =P2, 


and  put 


x3  =  —xi  —X2—C12+  m(m  +  ai) ,  2/3  =  — 2/i  —  <23  —  aix3  +  m(x  1  —  x3) . 

Then  these  formulas  define  an  (algebraic)  Abelian  group  law  on  the  curve. 

The  only  non-trivial  thing  to  check  in  this  theorem  is  the  associativity  of 
the  law.  This  can  most  easily  be  seen  by  interpreting  the  group  law  in  terms 
of  divisors,  but  we  will  not  do  this  here. 

The  geometric  interpretation  of  the  formulas  above  is  the  following.  Let 
Pi  and  P2  be  points  on  the  (projective)  curve.  The  line  D  from  Pi  to  P2  (the 
tangent  to  the  curve  if  Pi  =  P2)  intersects  the  curve  at  a  third  point  P,  say. 
Then,  if  O  is  the  point  at  infinity  on  the  curve,  the  sum  of  Pi  and  P2  is  the 
third  point  of  intersection  with  the  curve  of  the  line  from  O  to  R.  One  checks 
easily  that  this  leads  to  the  above  formulas. 

For  future  reference,  given  a  general  equation  as  above,  we  define  the 
following  quantities: 

&2  =  ai  “H  4(22)  &4  =  UlU3  +  2(14 

be  =  03  +  4(26)  &8  =  fli<26  +  4a2<26  —  fllfl3®4  +  U2fl3  —  a\ 

C4  =  b\  —  2464,  ce  =  — b 2  +  36&2&4  —  216&6 

A  —  — &2^8  — 864  —  27&g  +  962&4&6)  3  —  C4/A 

uj  =  dx/(2y  +  aix  +  a3)  =  dy/(  3x2  +  202X  +  <24  —  oiy) . 


(7.1) 
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Then  it  is  easy  to  see  that  if  we  set  Y  =  2y+a\x+as,  on  a  field  of  characteristic 
different  from  2,  the  equation  becomes 

Y 2  =  4x3  -t-  b2X1 2  “H  2b4x  -(-  . 

Setting  X  =  £  +  &2/I2,  if  the  characteristic  of  the  field  is  different  from  2  and 
3  the  equation  becomes 

Y2  =  4X3  -  (c4/12)X  -  (ce/ 216). 


7.1.4  Points  on  Elliptic  Curves 

Consider  an  abstract  equation  y2  +  a\ xy  +  a$y  =  a:3  4-  a 2a;2  +  a4X  +  a6, 
where  the  coefficients  a*  are  in  Z.  Since  for  any  field  K  there  exists  a  natural 
homomorphism  from  Z  to  if,  this  equation  can  be  considered  as  defining  a 
curve  over  any  field  K.  Note  that  even  if  the  initial  curve  was  non-singular, 
in  positive  characteristic  the  curve  can  become  singular. 

We  shall  consider  successively  the  case  where  K  =  R,  K  =  Fg,  where  q  is 
a  power  of  a  prime  p,  and  K  =  Q. 

Elliptic  Curves  over  M.  In  the  case  where  the  characteristic  is  different 
from  2  and  3,  the  general  equation  can  be  reduced  to  the  following  Weierstrafi 
form: 

y2  =  x3  -f-  a4x  -{-  flg . 

(We  could  put  a  4  in  front  of  the  x3  as  in  the  equation  for  the  p  function,  but 
this  introduces  unnecessary  constant  factors  in  the  formulas).  The  discrimi¬ 
nant  of  the  cubic  polynomial  is  —  (4a3  +  27^),  however  the  y2  term  must  be 
taken  into  account,  and  general  considerations  show  that  one  must  take 

-16(4a| +27a§) 

as  the  definition  of  the  discriminant  of  the  elliptic  curve. 

Several  cases  can  occur.  Let  Q(x)  =  x3+a4x+a6  and  A  =  -16(4a|+ 27ag). 

(1)  A  <  0.  Then  the  equation  Q(x)  =  0  has  only  one  real  root,  and  the  graph 
of  the  curve  has  only  one  connected  component. 

(2)  A  >  0.  Then  the  equation  Q(x)  =  0  has  three  distinct  real  roots,  and  the 
graph  of  the  curve  has  two  connected  components:  a  non-compact  one, 
which  is  the  component  of  the  zero  element  of  the  curve  (i.e.  the  point  at 
infinity),  and  a  compact  one,  oval  shaped. 

From  the  geometric  construction  of  the  group  law,  one  sees  that  the 
roots  of  Q(x)  =0  are  exactly  the  points  of  order  2  on  the  curve  (the  points 
of  order  3  correspond  to  the  inflection  points). 

(3)  A  =  0.  The  curve  is  no  longer  an  elliptic  curve,  since  it  now  has  a  singular 
point.  This  case  splits  into  three  sub-cases.  Since  the  polynomial  Q(x)  has 
at  least  a  double  root,  write 
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Q(x)  =  (x  —  a)2(x  —  b )  . 


Note  that  2a  +  b  =  0. 

(3a)  a  >  b.  Then  the  curve  has  a  unique  connected  component,  which 
has  a  double  point  at  x  =  a.  The  tangents  at  the  double  point  have 
distinct  real  slopes. 

(3b)  a  <  b.  Then  the  curve  has  two  connected  components:  a  non¬ 
compact  one,  and  the  single  point  of  coordinates  (a,0).  In  fact  this 
point  is  again  a  double  point,  but  with  distinct  purely  imaginary 
tangents. 

(3c)  o  =  6.  (In  this  case  a  =  b  =  0  since  2o  +  6  =  0).  Then  the  curve 
has  a  cusp  at  x  =  0,  i.e.  the  tangents  at  the  singular  point  are  the 
same. 

See  Fig.  7.1  for  the  different  possible  cases.  Note  that  case  (1)  is  subdivided 
into  the  case  where  the  curve  does  not  have  any  horizontal  tangent  (04  >  0), 
and  the  case  where  it  does  (04  <  0). 

In  case  3,  one  says  that  the  curve  is  a  degenerate  elliptic  curve.  One  easily 
checks  that  the  group  law  still  exists,  but  on  the  curve  minus  the  singular  point. 
This  leads  to  the  following  terminology:  in  cases  3a,  the  group  is  naturally 
isomorphic  to  R*,  and  this  is  called  the  case  of  split  multiplicative  degeneracy. 
In  case  3b,  the  group  is  isomorphic  to  the  group  S1  of  complex  numbers  of 
modulus  equal  to  1,  and  this  is  called  non-split  multiplicative  degeneracy. 
Finally,  in  case  3c,  the  group  is  isomorphic  to  the  additive  group  R,  and  this 
case  is  called  additive  degeneracy. 

These  notions  can  be  used,  not  only  for  R,  but  for  any  base  field  K.  In 
that  case,  the  condition  a  >  b  is  replaced  by  a  —  b  is  a  (non-zero)  square  in  K. 

Elliptic  Curves  over  a  Finite  Field.  To  study  curves  (or  more  general 
algebraic  objects)  over  <Q>,  it  is  very  useful  to  study  first  the  reduction  of  the 
curve  modulo  primes.  This  leads  naturally  to  elliptic  curves  over  Fp,  and  more 
generally  over  an  arbitrary  finite  field  F9,  where  q  is  a  power  of  p.  Note  that 
when  one  reduces  an  elliptic  curve  mod  p,  the  resulting  curve  over  Fp  may  be 
singular,  hence  no  longer  an  elliptic  curve.  Such  p  are  called  primes  of  bad 
reduction,  and  are  finite  in  number  since  they  must  divide  the  discriminant  of 
the  curve.  According  to  the  terminology  introduced  in  the  case  of  R,  we  will 
say  that  the  reduction  mod  p  is  (split  or  non-split)  multiplicative  or  additive, 
according  to  the  type  of  degeneracy  of  the  curve  over  Fp.  The  main  theorem 
concerning  elliptic  curves  over  finite  fields,  due  to  Hasse,  is  as  follows: 

Theorem  7.1.8  (Hasse).  Let  p  be  a  prime,  and  E  an  elliptic  curve  over  Fp. 
Then  there  exists  an  imaginary  quadratic  integer  ctv  such  that 

(1)  If  q  =  pn  then 

\E(Wq)\=q  +  l-apn-a^ 
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Figure  7.1.  Non-Degenerate  and  Degenerate  Elliptic  Curves  over  R. 


7.1  Basic  Definitions 
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(2)  _ 

apap  =  P,  or  equivalently  |ap|  —  y/p. 

(3)  In  particular ,  we  have 

|J5(FP)|  =  p  +  1  —  ap  with  |op|  <  2y/p, 
and  ap  is  a  root  of  the  equation 

ap 2  —  apap  +  p  =  0 . 


The  numbers  ap  are  very  important  and  are  (conjecturally)  coefficients  of 
a  modular  form  of  weight  2.  We  will  come  back  to  this  subject  in  Section  7.3. 

The  second  important  result  gives  some  information  on  the  group  structure 
of  E(¥q),  and  is  as  follows. 

Proposition  7.1.9.  If  E  is  an  elliptic  curve  over  a  finite  field¥q,  then  E(¥q) 
is  either  cyclic  or  isomorphic  to  a  product  of  two  cyclic  groups.  Furthermore , 
in  the  case  where  it  is  not  cyclic,  if  we  write  E(¥q)  c*  Z/dj.Z  x  Z/cfo ^  with 
di  |  d2,  then  d\  \  q  —  1. 


Elliptic  Curves  over  Q.  From  a  number  theorist’s  point  of  view,  this  is 
of  course  the  most  interesting  base  field.  The  situation  in  this  case  and  in 
the  case  of  more  general  number  fields  is  much  more  difficult.  The  first  basic 
theorem,  due  to  Mordell  and  later  generalized  by  Weil  to  the  case  of  number 
fields  and  of  Abelian  varieties,  is  as  follows: 

Theorem  7.1.10  (Mordell).  Let  E  be  an  elliptic  curve  over  Q.  The  group 
of  points  of  E  with  coordinates  in  Q  (denoted  naturally  E(Q))  is  a  finitely 
generated  Abelian  group.  In  other  words, 

E(Q)  ~  E(Q)tors  ©  Zr, 

where  r  is  a  non-negative  integer  called  the  rank  of  the  curve,  and  E(Q) tors  is 
the  torsion  subgroup  of  E(Q),  which  is  a  finite  Abelian  group. 

The  torsion  subgroup  of  a  given  elliptic  curve  is  easy  to  compute.  On  the 
other  hand  the  study  of  possible  torsion  subgroups  for  elliptic  curves  over  Q 
is  a  difficult  problem,  solved  only  in  1977  by  Mazur  ([Maz]).  His  theorem  is 
as  follows: 

Theorem  7.1.11  (Mazur).  Let  E  be  an  elliptic  curve  over  Q.  The  torsion 
subgroup  E(Q) tors  of  E  can  be  isomorphic  only  to  one  of  the  15  following 
groups: 

'LjmTL  for  1  <  m  <  10  or  m  =  12, 
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Z/2Z  x  Z/2mZ  for  1  <  m  <  4  . 

In  particular,  its  cardinality  is  at  most  16. 

Note  that  all  of  the  15  groups  above  do  occur  for  an  infinite  number  of  non¬ 
isomorphic  elliptic  curves.  The  corresponding  theorem  for  all  quadratic  fields 
(even  allowing  the  discriminant  to  vary)  was  proved  in  1990  by  Kamienny 
([Kam])  (with  more  groups  of  course),  and  finally  for  all  number  fields  in  1994 
by  Merel  ([Mer]). 

The  other  quantity  which  occurs  in  Mordell’s  theorem  is  the  rank  r,  and 
is  a  much  more  difficult  number  to  compute,  even  for  an  individual  curve. 
There  is  no  known  mathematically  proven  algorithm  to  compute  r  in  general. 
Even  the  apparently  simpler  question  of  deciding  whether  r  is  zero  or  not  (or 
equivalently  whether  the  curve  has  a  finite  or  an  infinite  number  of  rational 
points)  is  still  not  solved.  This  is  the  subject  of  active  research,  and  we  will 
come  back  in  more  detail  to  this  question  in  Section  7.4. 

Let  us  give  an  example  of  a  down  to  earth  application  of  Mordell’s  theorem. 
Consider  the  curve 

y"4  =  x'3  —  36x . 

It  is  easy  to  show  (see  Exercise  3)  that  the  only  torsion  points  are  the  points  of 
order  1  or  2,  i.e.  the  point  at  infinity  and  the  three  points  (0, 0),  (6, 0),  (—6, 0). 
But  the  point  (—2,8)  is  also  on  the  curve.  Therefore  we  must  have  r  >  0, 
hence  an  infinite  number  of  points,  a  fact  which  is  not  a  priori  evident.  What 
Mordell’s  theorem  tells  us  is  that  r  is  finite ,  and  in  fact  one  can  show  in  this 
case  that  r  =  1,  and  that  the  only  rational  points  on  the  curve  are  integral 
multiples  of  the  point  (—2,8)  added  to  one  of  the  four  torsion  points. 

This  curve  is  in  fact  closely  related  to  the  so-called  congruent  number  prob¬ 
lem,  and  the  statement  that  we  have  just  made  means,  in  this  context,  that 
there  exists  an  infinite  number  of  non-equivalent  right  angled  triangles  with 
all  three  sides  rational  and  area  equal  to  6,  the  simplest  one  (corresponding 
to  the  point  (—2,8))  being  the  well  known  (3,4,5)  Pythagorean  triangle. 

As  an  exercise,  the  reader  can  check  that  twice  the  point  (—2, 8)  is  the 
point  (j,  j),  and  that  this  corresponds  to  the  right-angled  triangle  of  area 
6  with  sides  (-^p,  -^r).  See  [Kob]  for  the  (almost)  complete  story  on  the 

congruent  number  problem. 


7.2  Complex  Multiplication  and  Class  Numbers 

In  this  section,  we  will  study  maps  between  elliptic  curves.  We  begin  by  the 
case  of  curves  over  C. 


7.2  Complex  Multiplication  and  Class  Numbers 
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7.2.1  Maps  Between  Complex  Elliptic  Curves 

Recall  that  a  complex  elliptic  curve  E  has  the  form  C/ L  where  L  is  a  lattice. 
Let  E  =  C/L  and  E'  =  C/L '  be  two  elliptic  curves.  A  map  4>  from  E  to 
E'  is  by  definition  a  holomorphic  Z-linear  map  from  E  to  E1 .  Since  C  is  the 
universal  covering  of  E1,  <j>  lifts  to  a  holomorphic  Z-linear  map  /  from  C  to  C, 
and  such  a  map  has  the  form  f(z)  =  az  for  some  complex  number  a,  which 
induces  a  map  from  E  to  E1  iff  aL  C  V .  Thus  we  have: 

Proposition  7.2.1.  Let  E  =  C/L  and  E'  =  C/L 1  be  two  elliptic  curves  over 
C.  Then 

(1)  E  is  isomorphic  to  E1  if  and  only  if  V  =  aL  for  a  certain  non-zero 
complex  number  a. 

(2)  The  set  of  maps  from  E  to  E1  can  be  identified  with  the  set  of  complex 
numbers  a  such  that  aL  C  V .  In  particular,  the  set  End(J5)  of  endomor- 
phisms  of  E  is  a  commutative  ring  isomorphic  to  the  set  of  a  such  that 
aL  C  L. 


In  terms  of  the  Weierstrafi  equation  of  the  curves,  this  theorem  gives  the 
following.  Recall  that  the  equation  of  E  (resp  E')  is  y2  =  4x3  —  g^x  —  g 3  (resp. 
y2  =  4x3  —  g'2x  —  53)  where 

02  =  60  Y2  w_4>  03  =  140  ^2  w_6’ 

u>€L\{0} 

and  similarly  for  g'2  and  g'z.  Hence,  the  first  part  of  the  theorem  says  that  if 
E  ~  E' ,  there  exists  a  such  that 

02  =  «_402  >  03  =  oc~6g3 . 

The  converse  is  also  clear  from  the  Weierstrafi  equation.  Now,  since  E  is  a 
non-singular  curve,  the  discriminant  g2  —  27 g%  is  non-zero,  so  we  can  define 

j(E)  =  n2igll(gl-27gl), 


and  we  obtain: 

Proposition  7.2.2.  The  function  j(E)  characterizes  the  isomorphism  class 
of  E  over  C.  More  precisely,  E  ~  E'  if  and  only  if  j{E)  =  j(E'). 

The  quantity  j(E)  is  called  the  modular  invariant  of  the  elliptic  curve 
E.  The  number  1728  =  123  will  be  explained  later.  Although  we  have  been 
working  over  C,  Proposition  7.2.2  is  still  valid  over  any  algebraically  closed 
field  of  characteristic  different  from  2  and  3  (it  is  also  valid  in  characteristic 
2  or  3,  for  a  slightly  generalized  definition  of  j{E)).  On  the  other  hand,  it  is 
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false  if  the  field  is  not  algebraically  closed  (consider  for  example  y 2  =  4x3—  4x 
and  y 2  =  4x3  +  4x  over  R). 


Remark.  It  is  easy  to  construct  an  elliptic  curve  with  a  given  modular  in¬ 
variant  j.  We  give  the  formulas  when  the  characteristic  is  different  from  2  and 
3  since  we  have  not  given  the  definition  otherwise. 


(1)  If  j  =  0,  one  can  take  y2  =  x3  —  1. 

(2)  If  j  =  1728,  one  can  take  y2  =  x3  —  x. 

(3)  Otherwise,  one  sets  c  =  j/(j  —  1728),  and  then  one  can  take  y2  =  x3  — 
3 cx  +  2c.  (If  one  wants  equations  with  a  coefficient  of  4  in  front  of  a:3, 
multiply  by  4  and  replace  y  by  yf  2.) 


Now  let  E  =  C/L  be  an  elliptic  curve  over  C.  Then,  as  a  Z- module,  L  can 
be  generated  by  two  R-linearly  independent  complex  numbers  uq  and  uq,  and 
by  suitably  ordering  them,  we  may  assume  that  Imr  >0,  where  r  =  uq/uq. 
Since  multiplying  a  lattice  by  a  non-zero  complex  number  does  not  change 
the  isomorphism  class  of  E,  we  have  j(E)  =  j{ET),  where  Er  =  C/Lr  and 
Lt  is  the  lattice  generated  by  1  and  r.  By  abuse  of  notation,  we  will  write 
j(r)  =  j(ET).  This  defines  a  complex  function  j  on  the  upper  half-plane 
H  =  {r  €  C,  Im  r  >  0}.  If  a,  6,  c  and  d  are  integers  such  that  ad  —  be  =  1 

(i.e.  if  ^ ^  d)  ^  SL<2(Z)),  then  the  lattice  generated  by  ar  +  6  and  cr  +  d  is 

equal  to  Lr.  This  implies  the  modular  invariance  of  j(r): 


Theorem  7.2.3.  For  any 


a  b 
c  d 


G  SLi2(Z),  we  have 


ar  +  b 
ct  +  d 


=  j(r). 


In  particular,  j(r)  is  periodic  of  period  1.  Hence  it  has  a  Fourier  expansion, 
and  one  can  prove  the  following  theorem: 

Theorem  7.2.4.  There  exist  positive  integers  cn  such  that,  if  we  set  q  = 
e2tirr ,  we  have  for  all  complex  r  with  Im  r  >  0: 

j(r)  =-  +  744  +  >  ]cnqn. 

«  “i 


The  factor  1728  used  in  the  definition  of  j  is  there  to  avoid  denominators 
in  the  Fourier  expansion  of  j(r),  and  more  precisely  to  have  a  residue  equal  to 
1  at  infinity  (the  local  variable  at  infinity  being  taken  to  be  q).  These  theorems 
show  that  j  is  a  meromorphic  function  on  the  compactification  (obtained  by 
adding  a  point  at  infinity)  of  the  quotient  "H/SL^Z). 
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Proposition  7.2.5.  The  function  j  is  a  one-to-one  mapping  from  the  com- 
pactification  of  hi  J  SL^Z)  onto  the  projective  complex  plane  Pi(C)  ( which  is 
naturally  isomorphic  to  the  Riemann  sphere  S2).  In  other  words,  j(r)  takes 
once  and  only  once  every  possible  value  (including  infinity)  on  hi/  SL2(Z). 

Note  that  this  proposition  is  obtained  essentially  by  combining  the  remark 
made  after  Proposition  7.2.2  (surjectivity)  with  Proposition  7.2.1  (injectivity). 

Since  the  field  of  meromorphic  functions  on  the  sphere  is  the  field  of  ratio¬ 
nal  functions,  we  deduce  that  the  field  of  modular  functions,  i.e.  meromorphic 
functions  which  are  meromorphic  at  infinity  and  invariant  under  SL2(Z),  is 
the  field  of  rational  functions  in  j.  In  particular,  modular  functions  which  are 
holomorphic  outside  the  point  at  infinity  of  the  Riemann  sphere  are  simply 
polynomials  in  j.  Finally,  if  we  want  to  have  such  a  function  which  is  one  to 
one  as  in  Theorem  7.2.5,  the  only  possibilities  are  linear  polynomials  aj  +  b. 
As  mentioned  above,  the  constant  1728  has  been  chosen  so  that  the  residue 
at  infinity  is  equal  to  one.  If  we  want  to  keep  this  property,  we  must  have 
a  =  1.  This  leaves  only  the  possibility  j  +  b  for  a  function  having  essentially 
the  same  properties  as  j.  In  other  words,  the  only  freedom  that  we  really  have 
in  the  choice  of  the  modular  function  j  is  the  constant  term  744  in  its  Fourier 
expansion. 

Although  it  is  a  minor  point,  I  would  like  to  say  that  the  normalization 
of  j  with  constant  term  744  is  not  the  correct  one  for  several  reasons.  The 
“correct”  constant  should  be  24,  so  the  “correct”  j  function  should  in  fact  be 
j  —  720.  Maybe  the  most  natural  reason  is  as  follows:  there  exists  a  rapidly 
convergent  series  due  to  Rademacher  for  the  Fourier  coefficients  Cn  of  j.  For 
n  =  0,  this  series  gives  24,  not  744.  Other  good  reasons  are  due  to  Atkin  and 
Zagier  (unpublished). 


7.2.2  Isogenies 

We  now  come  back  to  the  case  of  elliptic  curves  over  an  arbitrary  field. 

Definition  7.2.6.  Let  E  and  E'  be  two  elliptic  curves  defined  over  a  field  K. 
An  isogeny  from  E  to  E'  is  a  map  of  algebraic  curves  from  E  to  E'  sending 
the  zero  element  of  E  to  the  zero  element  of  E' .  The  curves  are  said  to  be 
isogenous  if  there  exists  a  non-constant  isogeny  from  E  to  E' . 

The  following  theorem  summarizes  the  main  properties  of  non-constant 
isogenies: 

Theorem  7.2.7.  Let  <j>  be  a  non-constant  isogeny  from  E  to  E' .  Then: 

(1)  If  K  is  an  algebraically  closed  field,  <p  is  a  surjective  map. 

(2)  <j>  is  a  finite  map,  in  other  words  the  fiber  over  any  point  of  E1  is  constant 
and  finite. 
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(3)  <j>  preserves  the  group  laws  of  the  elliptic  curves  ( note  that  this  was  not 
required  in  the  definition),  i.e.  it  is  a  map  of  algebraic  groups. 


From  these  properties,  one  can  see  that  0  induces  an  injective  map  from 
the  corresponding  function  field  of  E'  to  that  of  E  (over  some  algebraic  closure 
of  the  base  field) .  The  degree  of  the  corresponding  field  extensions  is  finite  and 
called  the  degree  of  0. 

Note  that  if  the  above  extension  of  fields  is  separable,  for  example  if  the 
base  field  has  characteristic  zero,  then  the  degree  of  0  is  also  equal  to  the 
cardinality  of  a  fiber,  i.e.  to  the  cardinality  of  its  kernel  0_1(O),  but  this  is 
not  true  in  general. 

Theorem  7.2.8.  Let  E  be  an  elliptic  curve  over  a  field  K,  and  let  m  be  a 
positive  integer.  Then  the  map  [m]  (multiplication  by  m)  is  an  endomorphism 
of  E  with  the  following  properties: 

(1)  deg[m]  =  m2. 

(2)  Let  E[m ]  denote  the  kernel  of[m]  in  some  algebraic  closure  of  K,  i.e.  the 
group  of  points  of  order  dividing  m.  If  the  characteristic  of  K  is  prime  to 
m  (or  if  it  is  equal  to  0 ),  we  have 

E[m]  ~  (Z/mZ)  x  (Z/raZ). 


Another  important  point  concerning  isogenies  is  the  following: 

Theorem  7.2.9.  Let  0  be  an  isogeny  from  E  to  E'.  There  exists  a  unique 
isogeny  0  from  E'  to  E  called  the  dual  isogeny,  such  that 

<j)o  <f>=[m], 

where  m  is  the  degree  of  0.  In  addition,  we  also  have 

0  °0  =  [m]', 

where  [ra]'  denotes  multiplication  by  m  on  E' . 

Note  also  the  following: 

Theorem  7.2.10.  Let  E  be  an  elliptic  curve  and  $  a  finite  subgroup  of  E. 
Then  there  exists  an  elliptic  curve  E'  and  an  isogeny  0  from  E  to  E1  whose 
kernel  is  equal  to  $.  The  elliptic  curve  E'  is  well  defined  up  to  isomorphism 
and  is  denoted  E/<&. 

We  end  this  section  by  giving  a  slightly  less  trivial  example  of  an  isogeny: 
Let  E  and  E'  be  two  elliptic  curves  over  a  field  of  characteristic  different  from 
2,  given  by  the  equations 
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y2  =  x3  +  ax2  +  bx  and  y2  =  x3  —  2 ax2  +  (a2  —  4 b)x , 


where  we  assume  that  b  and  a2  —  46  are  both  non- zero.  Then  the  map  </>  from 
E  to  E'  given  by 


<t>{x,y) 


y^_  y{x2—b) 
2 


x 


xA 


is  an  isogeny  of  degree  2  with  kernel  {O,  (0,0)}. 


7.2. 3  Complex  Multiplication 

Let  E  be  an  elliptic  curve.  To  make  life  simpler,  we  will  assume  that  the  base 
field  has  characteristic  zero.  We  have  seen  that  the  maps  [m]  are  elements  of 
End(E).  Usually,  they  are  the  only  ones,  and  since  they  are  distinct,  End(JS)  ~ 
Z.  It  may  however  happen  that  End(E)  is  larger  than  Z. 

Definition  7.2.11.  We  say  that  E  has  complex  multiplication  if  End(J5) 
contains  elements  other  than  [m],  i.e.  if  as  a  ring  it  is  strictly  larger  than  Z. 


The  theory  of  complex  multiplication  is  vast,  and  we  can  just  give  a  glimpse 
of  its  contents.  The  first  result  is  as  follows: 


Proposition  7.2.12.  Let  E  be  an  elliptic  curve  defined  over  a  field  of  char¬ 
acteristic  zero ,  and  assume  that  E  has  complex  multiplication.  Then  the  ring 
End(2£)  is  an  order  in  an  imaginary  quadratic  field,  i.e.  has  the  form  Z+  Zr 
where  t  is  a  complex  number  with  positive  imaginary  part  and  which  is  an 
algebraic  integer  of  degree  2  (that  is,  satisfies  an  equation  of  the  form 

t2  —  st  +  n  =  0, 

with  s  and  n  in  Z  and  s2  —  An  <  0). 


Proof.  We  shall  give  the  proof  in  the  case  where  the  base  field  is  C.  Then 
E  ~  C/L  for  a  certain  lattice  L,  and  we  know  that  End(J5)  is  canonically 
isomorphic  to  the  set  of  a  such  that  aL  C  L.  After  division  by  one  of  the 
generators  of  L,  we  can  assume  that  L  is  generated  by  1  and  r  for  a  certain 
t  £  Tt,  where  we  recall  that  H  is  the  upper  half-plane.  Then  if  a  stabilizes  L, 
there  must  exist  integers  a,  b,  c  and  d  such  that  a  =  a  +  6r,  ar  =  c  +  dr.  In 


other  words,  a  is  an  eigenvalue  of  the  matrix 


hence  is  an  algebraic 


integer  of  degree  2  (with  s  =  a+d,  n  =  ad  —  bc).  Since  a  =  a  +  6r,  this  shows 
that  Q(r)  =  Q(o:)  is  a  fixed  imaginary  quadratic  extension  k  of  Q,  and  hence 
End( E)  is  (canonically  isomorphic  to)  a  subring  of  Z k ,  the  ring  of  integers  of 
k,  and  hence  is  an  order  in  k  if  it  is  larger  than  Z.  □ 
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Example.  The  curves  y2  =  x3  —  ax  all  have  complex  multiplication  by  Z[i\ 
(map  ( x,y )  to  (—  x,iy)).  Similarly,  the  curves  y2  =  x3  +  b  all  have  complex 
multiplication  by  Z[p],  where  p  is  a  primitive  cube  root  of  unity  (map  (x,y) 
to  ( px,y )).  For  a  less  trivial  example,  one  can  check  that  the  curve 

y2  =  x3  —  (3/4)x2  —  2x  —  1 

has  complex  multiplication  by  Z[oj],  where  to  =  1+^~^,  multiplication  by  u> 
sending  (x,y)  to  (u,u),  where 


_r,x2  —  to 
U—U!  - 

x  —  a 

x2  —  2ax  +  u 
V  =  U  ' y  (x  —  a)2  1 

where  we  have  set  a  =  (u  —  3)/4  (I  thank  D.  Bernardi  for  these  calculations). 
For  a  simple  algorithm  which  makes  these  computations  easy  to  perform  see 
[Star]. 

Remark.  Note  that  if  the  base  field  is  a  finite  field,  End(J5)  is  either  isomor¬ 
phic  to  an  order  in  an  imaginary  quadratic  field  or  to  the  maximal  order  in 
a  definite  quaternion  algebra  of  dimension  4  over  Z.  In  this  last  case,  which 
is  the  only  case  where  End(JS)  is  non-commutative,  we  say  that  the  elliptic 
curve  E  is  supersingular. 

The  next  theorem  concerning  complex  multiplication  is  as  follows: 

Theorem  7.2.13.  Let  r  be  a  quadratic  algebraic  number  with  positive  imagi¬ 
nary  part.  Then  the  elliptic  curve  ET  =  C/(Z+Zr)  has  complex  multiplication 
by  an  order  in  the  quadratic  field  Q(r),  and  the  j -invariant  j(Er)  =  j(r)  is 
an  algebraic  integer. 

Note  that  although  the  context  (and  the  proof)  of  this  theorem  involves 
elliptic  curves,  its  statement  is  simply  that  a  certain  explicit  function  j(r)  on 
Tt  takes  algebraic  integer  values  at  quadratic  imaginary  points. 
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Examples.  Here  are  a  few  selected  values  of  j. 


j({l  +  iV 3)/2)  =  0  =  1728  -  3(24)2 

j(i)  =  1728  =  123  =  1728  -  4(0)2 
j{(l  +  iV7)/2)  =-3375  =  (-15)3  =  1728  -  7(27)2 
j{iy/ 2)  =  8000  =  203  =  1728  +  8(28)2 
j((  1  +  iV U)/2)  =  -32768  =  (— 32)3  =  1728  -  11(56)2 
j({  1  +  iV 19)/2)  =  -884736  =  (-96)3  =  1728  -  19(216)2 
j{{  1  +  *>/43)/2)  =  -884736000  =  (-960)3  =  1728  -  43(4536)2 
i((l+  iy/&7)/2)  =-147197952000  =  (-5280)3  =  1728  -  67(46872)2 
j((l+  iVl63)/2)  =-262537412640768000  =  (-640320)3 
=  1728  — 163(40133016)2 

j{iV 3)  =  54000  =  2(30)3  =  1728  +  12(66)2 
j(2i)  =  287496  =  (66)3  =  1728  +  8(189)2 

j((l  +  3i>/3)/2)  =-12288000  =  -3(160)3  =  1728  -  3(2024)2 
j(iy/7)  =  16581375  =  (255)3  =  1728+  7(1539)2 

j((l  +  ty/l 5)/2)  = - - - ^ 

_  1-V5  ^  75  +  27y/5>j  _  ^  3  273  +  105^5 


j{{  1  +  tV 23)/2)  =  —  (82O75O02  +  10841250  +  616750) 

=  — (2502  +  550  +  35)3 
=  1728  -  (302  -  4)(4O602  +  5110  +  273)2 , 


where  0  is  the  real  root  of  the  cubic  equation  X3  —  X  —  1  =  0. 

The  reason  for  the  special  values  chosen  will  become  clear  later. 

An  amusing  consequence  of  the  above  results  is  the  following.  We  know 
that  if  q  =  e2tnr  then  j(r)  =  1  fq  +  744  +  0(|<7|).  Hence  when  |g|  is  very  small 
(i.e.  when  the  imaginary  part  of  r  is  large),  it  can  be  expected  that  j(r)  is  well 
approximated  by  1  fq  +  744.  Taking  the  most  striking  example,  this  implies 
that  e7rV^  should  be  close  to  an  integer,  and  that  (e7rV^®3  —  744)  ^  should 
be  even  closer.  This  is  indeed  what  one  finds: 

e*-\/l63  _  262537412640768743.99999999999925007259 . . . 

(e7r\/l63  _  744)1/3  =  640319.99999999999999999999999939031735 . . . 

Note  that  by  well  known  transcendence  results,  although  these  quantities  are 
very  close  to  integers,  they  cannot  be  integers  and  they  are  in  fact  transcen¬ 
dental  numbers. 
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7.2.4  Complex  Multiplication  and  Hilbert  Class  Fields 

The  following  theorem  gives  more  precise  information  on  the  nature  of  the 
algebraic  integer  j(r)  and  will  be  one  of  our  basic  tools  in  our  study  of 
Atkin’s  primality  test  (see  Section  9.2).  We  define  the  discriminant  of  a 
quadratic  number  r  as  the  discriminant  of  the  unique  primitive  positive  defi¬ 
nite  quadratic  form  (a,  b,  c)  such  that  r  is  a  root  of  the  equation  ax2-\-bx+c  =  0. 

Theorem  7.2.14.  Let  t  €  H  be  a  quadratic  imaginary  number,  and  let  D 
be  its  discriminant  as  just  defined.  Then  j(r)  is  an  algebraic  integer  of  de¬ 
gree  exactly  equal  to  h(D),  where  h(D)  is  the  class  number  of  the  imaginary 
quadratic  order  of  discriminant  D.  More  precisely,  the  minimal  polynomial  of 
j(r)  over  X  is  the  equation  fl(-^  “.7(0:))  =  0,  where  a  runs  over  the  quadratic 
numbers  associated  to  the  reduced  forms  of  discriminant  D. 

Note  that  j(r)  is  indeed  a  root  of  this  polynomial,  since  any  quadratic  form 
of  discriminant  D  is  equivalent  to  a  reduced  form,  and  since  the  j  function 
is  SL2(Z)-invariant.  The  difficult  part  of  this  theorem  is  that  the  polynomial 
has  integral  coefficients. 

I  can  now  explain  the  reason  for  the  selection  of  j -values  given  in  the 
preceding  section.  From  Theorem  7.2.14,  we  see  that  j(r)  is  rational  (in  fact 
integral)  if  and  only  if  h(D)  =  1  (we  assume  of  course  that  r  is  a  quadratic 
number).  Hence,  by  the  Heegner-Stark-Baker  theorem  (see  Section  5.3.1),  this 
corresponds  to  only  9  quadratic  fields.  There  are  4  more  corresponding  to 
non-maximal  orders:  —12  and  —27  (in  the  field  Q(y/— 3)),  —16  (in  the  field 
Q(v/—4)),  and  —28  (in  the  field  Q(\/—f)). 

The  first  13  values  of  our  little  table  above  correspond  to  these  13  quadratic 
orders,  and  the  last  two  are  for  D  =  —15  and  D  =  —23,  which  are  the  first 
values  for  which  the  class  number  is  2  and  3  respectively. 

Now  if  r  corresponds  to  a  maximal  order  in  an  imaginary  quadratic  field 
K,  Theorem  7.2.14  tells  us  that  the  field  H  =  K(j(r))  obtained  by  adjoining 
j(r)  to  K  is  an  algebraic  extension  of  degree  h(D)  (this  is  not  strictly  true: 
it  tells  us  this  for  K  =  Q,  but  the  statement  holds  nonetheless).  Now  in 
fact  much  more  is  true:  it  is  a  Galois  extension,  with  Abelian  Galois  group 
isomorphic  to  the  class  group  of  the  imaginary  quadratic  field  K.  Furthermore, 
it  is  unramified,  and  it  is  the  maximal  Abelian  unramified  extension  of  K.  By 
definition,  such  a  field  H  is  called  the  Hilbert  class  field  of  K.  One  sees  that  in 
the  case  of  imaginary  quadratic  fields,  the  Hilbert  class  field  can  be  obtained 
by  adjoining  a  value  of  the  ^-function.  This  kind  of  construction  is  lacking 
for  other  types  of  fields  (except  of  course  for  Q).  See  [Shi]  for  the  relevant 
definitions  and  theorems  about  class  fields. 

A  cursory  glance  at  the  table  of  values  which  we  have  given  reveals 
many  other  interesting  aspects.  For  example,  in  most  cases,  it  seems  that  j(r) 
is  a  cube.  Furthermore,  it  can  be  checked  that  no  large  prime  factors  occur 
in  the  values  of  j(r)  (or  of  its  norm  when  it  is  not  in  Q).  These  properties 
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are  indeed  quite  general,  with  some  restrictions.  For  example,  if  D  is  not 
divisible  by  3,  then  up  to  multiplication  by  a  unit,  j(r)  is  a  cube  in  H.  One 
can  also  check  that  (still  up  to  units)  j(r)  —  1728  is  a  square  in  K  if  D  =  1 
(mod  4).  Finally,  not  only  the  values  of  j(r),  but  more  generally  the  differences 
j(r i)  —  7(72)  have  only  small  prime  factors  (the  case  of  j(r i)  is  recovered  by 
taking  7*2  =  p  =  (—1  4-  \/~ ■ 3) /2).  All  these  properties  have  been  proved  by 
Gross- Zagier  [Gro-Zagl]. 

The  other  property  of  an  elliptic  curve  with  complex  multiplication,  which 
will  also  be  basic  to  Atkin’s  primality  test,  is  that  it  is  easy  to  compute  the 
number  of  its  points  in  a  finite  field,  i.e.  its  L- function  (see  Section  7.3  for  the 
definition).  We  state  only  the  special  cases  which  we  will  need  (see  [Deu]). 

Theorem  7.2.15.  Let  E  be  an  elliptic  curve  with  complex  multiplication  by 
an  imaginary  quadratic  order  of  discriminant  D,  and  let  p  be  a  prime  number. 
Then  we  have 

|£(FP)|  =p  +  l  -Op, 
where  ap  is  given  as  follows. 

(1)  Ifp  is  inert  (i.e.  if  (y)  =  —1),  then  ap  =  0. 

(2)  Ifp  splits  into  a  product  of  prime  elements,  say  p  =  irn,  then  ap  —  ir  4-  7f 
for  a  suitable  choice  of  n. 


Remarks. 

(1)  If  D  <  —4,  there  exist  only  two  (opposite)  choices  for  7r  since  the  order 
has  only  2  units.  These  choices  give  two  opposite  values  of  ap,  one  of  these 
values  giving  the  correct  ap  for  E,  the  other  one  giving  the  ap  for  the  curve 
E  “twisted”  by  a  quadratic  non-residue  (see  Section  7.4.3).  On  the  other 
hand  if  D  =  —  4  or  D  =  —  3,  there  exist  4  (resp.  6)  choices  for  7r,  also 
corresponding  to  twisted  curves. 

(2)  If  p  is  ramified  or  splits  into  a  product  of  prime  ideals  which  are  not 
principal,  then  one  can  still  give  the  value  of  ap,  but  the  recipe  is  more 
involved.  In  terms  of  L-functions,  the  general  result  says  that  there  exists 
a  Hecke  character  ip  on  the  field  Q(\/Z))  such  that 

L(E,s)  =  L(i;,s)L(^s). 


7.2.5  Modular  Equations 

Another  remarkable  property  of  the  j-function,  which  is  not  directly  linked 
to  complex  multiplication,  but  rather  to  the  role  that  j  plays  as  a  modu¬ 
lar  invariant,  is  that  the  functions  j(Nr)  for  N  integral  (or  more  generally 
rational)  are  algebraic  functions  of  j  (r ) .  The  minimal  equation  of  the  form 
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$/v(j(r),  j(iVY))  =  0  satisfied  by  j(Nr )  is  called  the  modular  equation  of  level 
N.  This  result  is  not  difficult  to  prove.  We  will  prove  it  explicitly  in  the  special 
case  N  =  2.  Set 

P(X)  =  (X-j(2T))(X-jq))(X-j(l±±))  =  X3-s{T)X2+t(r)X-n(T). 

I  claim  that  the  functions  s,  t  and  n  are  polynomials  in  j.  Since  they  are  clearly 
meromorphic,  and  in  fact  holomorphic  outside  infinity,  from  Section  7.2.1  it  is 
enough  to  prove  that  they  are  modular  functions  (i.e.  invariant  under  SL2(Z)). 
Since  the  action  of  SL/2(Z)  on  H  is  generated  by  r  i— ►  r  +  1,  and  r  *-*■  —  1/r, 
it  suffices  to  show  the  invariance  of  s,  t  and  n  under  these  transformations, 
and  this  is  easily  done  using  the  modular  invariance  of  j  itself.  This  shows  the 
existence  of  a  cubic  equation  satisfied  by  j(2r)  over  the  field  C(j(r)).  If  one 
wants  the  equation  explicitly,  one  must  compute  the  first  few  coefficients  of 
the  Fourier  expansion  of  s(r),  t(r),  and  n(r),  using  the  Fourier  expansion  of 

j(r): 

j(r)  =  i  +  744  +  196884g  +  21493760?2  +  864299970g3  +  •  •  • 

The  result  is  as  follows: 


s  =  j2  —  243  ■  31?  —  243453, 
t  =  243  •  31  j 2  +  34534027<7  +  283756, 
n  =  -j3  +  243453>2  -  28375 6j  +  2123959. 

This  gives  as  modular  polynomial  of  level  2  the  polynomial 

$2(*,  Y)  =  X3  +  Y3  -  X2Y2  +  243  •  31(X2T  +  XY2)  -  243453(X2  +  Y2) 
+  34534027XF  +  283756(X  +  Y)-  2123959. 

As  we  can  see  from  this  example,  the  modular  polynomials  are  symmetric  in  X 
and  Y.  They  have  many  other  remarkable  properties  that  tie  them  closely  to 
complex  multiplication  and  class  numbers,  but  we  will  not  pursue  this  subject 
any  further  here.  See  for  example  [Her] ,  [Mah]  and  [Coh3]  for  results  and  more 
references  on  the  polynomials  4>at. 


7.3  Rank  and  X-functions 

We  have  seen  in  Theorem  7.1.10  that  if  E  is  an  elliptic  curve  defined  over  Q, 
then 

£(Q)~£(Q)tors©Z", 

where  E(Q)tors  is  a  finite  group  which  is  easy  to  compute  for  a  given  curve, 
and  r  is  an  integer  called  the  rank.  As  has  already  been  mentioned,  r  is 
very  difficult  to  compute,  even  for  a  specific  curve.  Most  questions  here  have 
conjectural  answers,  but  very  few  are  proved.  In  this  section,  we  try  to  give 
some  indications  on  the  status  of  the  subject  at  the  time  of  this  writing. 
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7.3.1  The  Zeta  Function  of  a  Variety 

I  heartily  recommend  reading  [Ire-Ros]  for  detailed  and  concrete  examples  on 
this  subject. 

After  clearing  the  denominators  of  the  coefficients,  we  may  assume  that 
our  curve  has  coefficients  in  Z.  Now  it  is  a  classical  technique  to  look  at  the 
equation  modulo  primes  p,  and  to  gather  this  information  to  obtain  results 
on  the  equation  over  Q  or  over  Z.  This  can  be  done  more  generally  for  any 
smooth  projective  algebraic  variety  (and  more  general  objects  if  needed),  and 
not  only  for  elliptic  curves.  Although  it  carries  us  a  little  away,  I  believe  it 
worthwhile  to  do  it  in  this  more  general  context  first. 

Let  V  be  a  (smooth  projective)  variety  of  dimension  d,  defined  by  equa¬ 
tions  with  coefficients  in  Z.  For  any  prime  p,  we  can  consider  the  variety 
Vp  obtained  by  reducing  the  coefficients  modulo  p  (it  may,  of  course,  not  be 
smooth  any  more).  For  any  n  >  1,  let  Nn(p)  be  the  number  of  points  of  Vp 
defined  over  the  finite  field  Fp«  and  consider  the  following  formal  power  series 
in  the  variable  T: 


Zp(T)  =  exp^g^MT"j. 

Then  we  have  the  following  very  deep  theorem,  first  conjectured  by  Weil  (and 
proved  by  him  for  curves  and  Abelian  varieties,  see  [Weil]),  and  proved  com¬ 
pletely  by  Deligne  in  1974  [Del]: 

Theorem  7.3.1.  Let  Vp  be  a  smooth  projective  variety  of  dimension  d  over 
Fp.  Then: 

(1)  The  series  ZP(T)  is  a  rational  function  ofT,  i.e.  ZP(T)  €  Q{T). 

(2)  There  exists  an  integer  e  ( called  the  Euler  characteristic  of  Vp ),  such  that 

Zp(l/(pdT))  =  ±pde/2Te  ZP(T) . 

(3)  The  rational  function  ZP(T)  factors  as  follows: 


Pi(T)  ■  ■  ■  Ph-i{T) 
pK  '  P0(T)P2(T).-.P2d(T)’ 


where  for  all  i,  P*(T)  €  Z[T],  P0(T)  =  1  -T,  P2d(T)  =  1  -  pdT,  and  for 
all  other  i, 
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The  first  assertion  was  actually  proved  by  Dwork  a  few  years  before 
Deligne  using  relatively  elementary  methods,  but  by  far  the  hardest  part  of 
this  theorem  is  the  last  assertion,  that  | |  =  p1^2.  This  is  called  the  Riemann 
hypothesis  for  varieties  over  finite  fields. 

Now  given  all  the  local  ZP(T),  we  can  form  a  global  zeta  function  by 
setting  for  s  complex  with  Re  s  sufficiently  large: 

p 

This  should  be  taken  with  a  grain  of  salt,  since  there  are  some  p  (finite  in 
number)  such  that  Vp  is  not  smooth.  In  fact,  given  the  underlying  cohomo- 
logical  interpretation  of  the  Pi,  it  is  more  reasonable  to  consider  the  global 
L-functions  defined  by 

Li(V,  s)  =  n  PiiP'T1  for  0  <  i  <  2d , 

p 

and  recover  the  zeta  function  as 

c(v,«)=  n 

0<i<2d 


Very  little  is  known  about  these  general  zeta  function  and  L-functions. 
It  is  believed  (can  one  say  conjectured  when  so  few  cases  have  been  closely 
examined?)  that  these  functions  can  be  analytically  continued  to  meromorphic 
functions  on  the  whole  complex  plane.  When  the  local  factors  at  the  bad 
primes  p  are  correctly  chosen,  they  should  have  a  functional  equation  and  the 
L-functions  should  satisfy  the  Riemann  hypothesis,  i.e.  apart  from  “trivial” 
zeros,  all  the  other  complex  zeros  of  Li(V,s)  should  lie  on  the  vertical  line 
ne  s  =  / z. 

One  recovers  the  ordinary  Riemann  zeta  function  by  taking  for  V  the 
single  point  0.  More  generally,  one  can  recover  the  Dedekind  zeta  function 
of  a  number  field  by  taking  for  V  the  0-dimensional  variety  defined  in  the 
projective  line  by  P(X)  =  0,  where  P  is  a  monic  polynomial  with  integer 
coefficients  defining  the  field  over  Q. 


7.3.2  L-functions  of  Elliptic  Curves 

Let  us  now  consider  the  special  case  where  V  is  an  elliptic  curve  E.  In  that 
case,  Hasse’s  Theorem  7.1.8  gives  us  all  the  information  we  need  about  the 
number  of  points  of  E  over  a  finite  field.  This  leads  to  the  following  corollary: 

Corollary  7.3.2.  Let  E  be  an  elliptic  curve  over  Q,  and  let  p  be  a  prime  of 
good  reduction  (i.e.  such  that  Ep  is  still  smooth).  Then 
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ZP{E)  = 


1  -apT  +  pT2 
(l-T)(l-pT)’ 


where  ap  is  as  in  Theorem  7.1.8. 

In  fact,  Hasse’s  theorem  is  simply  the  special  case  of  the  Weil  conjectures 
for  elliptic  curves  (and  can  be  proved  quite  simply,  see  e.g.  [Sil]  pp  134-136). 

Ignoring  for  the  moment  the  question  of  bad  primes,  the  general  definition 
of  zeta  and  L-functions  gives  us 

x  =  C(*K(s- 

L(E,s) 


where 

L(E,  s)  =  Li(E,  s)  =  ]^[(1  -  a„ p-  +  p1’2’)-1 . 

P 

The  function  L(E,  s )  will  be  called  the  Hasse-Weil  L-function  of  the  elliptic 
curve  E.  To  give  a  precise  definition,  we  also  need  to  define  the  local  factors 
at  the  bad  primes  p.  This  can  be  done,  and  finally  leads  to  the  following 
definition. 


Definition  7.3.3.  Let  E  be  an  elliptic  curve  overQ,  and  lety2+a\xy+azy  = 
x3+a2X2+a4X+ae  be  a  minimal  Weierstrafi  equation  for  E  ( see  7.1.3).  When 
E  has  good  reduction  at  p,  define  ap  =  p  + 1  —  Np  where  Np  is  the  number  of 
(projective)  points  of  E  over  Fp.  If  E  has  bad  reduction,  define 


e(p)  = 


1 

-1 

0 


if  E  has  split  multiplicative  reduction  at  p; 
if  E  has  non-split  multiplicative  reduction  at  p; 
if  E  has  additive  reduction  at  p. 


Then  we  define  the  L-function  of  E  as  follows,  for  Res  >  3/2: 

L(E,s)  J^[  i_e(p\p-s  II  l  —  a 0p~s  +p1-2s 


bad  p 


good  p 


Note  that  in  this  definition  it  is  crucial  to  take  a  minimal  Weierstrafi 
equation  for  E:  taking  another  equation  could  increase  the  number  of  primes 
of  bad  reduction,  and  hence  change  a  finite  number  of  local  factors.  On  the 
other  hand,  one  can  prove  that  L(E,  s )  depends  only  on  the  isogeny  class  of 
E. 

By  expanding  the  product,  it  is  clear  that  L(E,  s )  is  a  Dirichlet  series,  i.e. 
of  the  form  ]Cn>i  ann~a  (this  of  course  is  the  case  for  all  zeta  functions  of 
varieties).  We  will  set 
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/e(t)  =  ^  anqn ,  where  as  usual  q  =  e2iirT . 

n>l 

We  can  now  state  the  first  conjecture  on  L-functions  of  elliptic  curves: 

Conjecture  7.3.4.  The  function  L(E ,  s)  can  be  analytically  continued  to  the 
whole  complex  plane  to  an  entire  function.  Furthermore,  there  exists  a  positive 
integer  N,  such  that  if  we  set 

A{E,s)  =  N3/2{27r)-3T{s)L{E,s), 

then  we  have  the  following  functional  equation: 

A (E,  2  —  s)  =  ±A (E,  s ) . 


In  this  case,  the  Riemann  hypothesis  states  that  apart  from  the  trivial 
zeros  at  non-positive  integers,  the  zeros  of  L(E ,  s )  all  lie  on  the  critical  line 
Res  =  1. 

The  number  N  occurring  in  Conjecture  7.3.4  is  a  very  important  invariant 
of  the  curve.  It  is  called  the  (analytic)  conductor  of  E.  From  work  of  Carayol 
[Car],  it  follows  that  it  must  be  equal  to  the  (geometric)  conductor  of  E  which 
can  be  defined  without  reference  to  any  conjectures.  It  suffices  to  say  that  it 
has  the  form  Y\npep,  where  the  product  is  over  primes  of  bad  reduction,  and 
for  p  >  3,  ep  =  1  if  E  has  multiplicative  reduction  at  p,  ep  =  2  if  E  has 
additive  reduction.  For  p  <  3,  the  recipe  is  more  complicated  and  is  given  in 
Section  7.5. 

One  can  also  give  a  recipe  for  the  ±  sign  occurring  in  the  functional 
equation. 


7.3.3  ihe  laniyama-Weil  Conjecture 


Now  if  the  reader  has  a  little  acquaintance  with  modular  forms,  he  will  notice 
that  the  conjectured  form  of  the  functional  equation  of  L(E ,  s )  is  the  same  as 
the  functional  equation  for  the  Mellin  transform  of  a  modular  form  of  weight 
2  over  the  group 


r°(JV)  =  {(c  !)eSL’(Z)' 


(see  [Lang4],  [Ogg]  or  [Zag]  for  all  relevant  definitions  about  modular  forms). 
Indeed,  one  can  prove  the  following 


Theorem  7.3.5.  Let  f  be  a  modular  cusp  form  of  weight  2  on  the  group 
Tq(N)  ( equivalently  is  a  differential  of  the  first  kind  on  Xq(N)  = 

H/ro(N)).  Assume  that  f  is  a  normalized  newform  (hence,  in  particular, 
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an  eigenform  for  the  Hecke  operators)  and  that  f  has  rational  Fourier  coeffi¬ 
cients.  Then  there  exists  an  elliptic  curve  E  defined  over  Q  such  that  f  =  fEf 
i.e.  such  that  the  Mellin  transform  of  f(it/y/N)  is  equal  to  A (E,s). 

Such  a  curve  E  is  called  a  modular  elliptic  curve,  and  is  a  natural  quotient 
of  the  Jacobian  of  the  curve  Xo(N).  Since  analytic  continuation  and  functional 
equations  are  trivial  consequences  of  the  modular  invariance  of  modular  forms 
we  obtain: 

Corollary  7.3.6.  Let  E  be  a  modular  elliptic  curve,  and  let  f  =  ]T)n>1  anqn 
be  the  corresponding  cusp  form.  Then  Conjecture  7.3.4  ts  true  for  the  curve 
E.  In  addition,  it  is  known  from  Atkin- Lehner  theory  that  one  must  have 
/(— 1/(Nt))  =  —  eiVr2/(r)  with  e  =  ±1.  Then  the  functional  equation  is 

A (E,  2  -  s)  =  eA(E ,  s ) . 


(Please  note  the  minus  sign  in  the  formula  for  /(— 1/(Nt))  which  causes 
confusion  and  many  mistakes  in  tables.)  The  number  e  is  called  the  sign  of 
the  functional  equation. 

With  Theorem  7.3.5  in  mind,  it  is  natural  to  ask  if  the  converse  is  true, 
i.e.  whether  every  elliptic  curve  over  Q  is  modular.  This  conjecture  was  first  set 
forth  by  Taniyama.  Its  full  importance  and  plausibility  was  understood  only 
after  Weil  proved  the  following  theorem,  which  we  state  only  in  an  imprecise 
form  (the  precise  statement  can  be  found  e.g.  in  [Ogg]): 


Theorem  7.3.7  (Weil).  Let  f(r)  =  2^n>i  anQn>  and  for  all  primitive  Dirich- 
let  characters  x  of  conductor  m  set 


E«nX(rc) 

ns 


A(/,x.«)  =  |TVm2|s/2(27r)  sV{s)L(f,x,s). 

Assume  that  these  functions  satisfy  functional  equations  of  the  following  form: 

A(/,  X,  2  -  s)  =  w(x)A(f,  x,  s) , 

where  w(x)  has  modulus  one,  and  assume  that  as  x  varies,  w(x)  satisfies 
certain  compatibility  conditions  (being  precise  here  would  carry  us  a  little  too 
far).  Then  f  is  a  modular  form  of  weight  2  over  Tq(N). 


Because  of  this  theorem,  the  above  conjecture  becomes  much  more  plau¬ 
sible.  The  Taniyama- Weil  conjecture  is  then  as  follows: 

Conjecture  7.3.8  (Taniyama- Weil).  Let  E  be  an  elliptic  curve  over  Q,  let 
L(E,s)  =  X/n> ian^~a  be  its  L-series,  and  let  /£;(t)  =  X)n>ian<7n>  s°  that 
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the  Mellin  transform  of  fE{it/VN)  is  equal  to  A (E,s).  Then  f  is  a  cusp 
form  of  weight  2  on  To(N)  which  is  an  eigenfunction  of  the  Hecke  operators. 
Furthermore,  there  exists  a  morphism  (p  of  curves  from  Xo(N)  to  E,  defined 
overQ,  such  that  the  inverse  image  by  (p  of  the  differential  dx  /  {2y a\x  +  a$) 
is  the  differential  c(2in)  f  (r)dT  =  cf{r)dq/q,  where  c  is  some  constant. 

Note  that  the  constant  c,  called  Manin’s  constant,  is  conjectured  to  be 
always  equal  to  ±1  when  (p  is  a  “strong  Weil  parametrization”  of  E  (see  [Sil]). 

A  curve  satisfying  the  Taniyama-Weil  conjecture  was  called  above  a  mod¬ 
ular  elliptic  curve.  Since  this  may  lead  to  some  confusion  with  modular  curves 
(the  curves  Xo(N ))  which  are  in  general  not  elliptic,  they  axe  called  Weil 
curves  (which  incidentally  seems  a  little  unfair  to  Taniyama). 

The  main  theorem  concerning  this  conjecture  is  Wiles’s  celebrated  the¬ 
orem,  which  states  than  when  N  is  squarefree,  the  conjecture  is  true  (see 
[Wiles],  [Tay-Wil]).  This  result  has  been  generalized  by  Diamond  to  the  case 
where  N  is  only  assumed  not  to  be  divisible  by  9  and  25.  In  addition,  us¬ 
ing  Weil’s  Theorem  7.3.7,  it  was  proved  long  ago  by  Shimura  (see  [Shil]  and 
[Shi2])  that  it  is  true  for  elliptic  curves  with  complex  multiplication. 

There  is  also  a  recent  conjecture  of  Serre  (see  [Seri]),  which  roughly  states 
that  any  odd  2-dimensional  representation  of  the  Galois  group  Gal(Q/Q)  over 
a  finite  field  must  come  from  a  modular  form.  It  can  be  shown  that  Serre’s 
conjecture  implies  the  Taniyama-Weil  conjecture. 

The  Taniyama-Weil  conjecture,  and  hence  the  Taylor-Wiles  proof,  is 
mainly  important  for  its  own  sake.  However,  it  has  attracted  a  lot  of  attention 
because  of  a  deep  result  due  to  Ribet  [Rib],  saying  that  the  Taniyama-Weil 
conjecture  for  squarefree  N  implies  the  full  strength  of  Fermat’s  last  “theo¬ 
rem”  (FLT):  if  xn+yn  =  zn  with  x,  y,  z  non-zero  integers,  then  one  must  have 
n  <2.  Thanks  to  Wiles,  this  is  now  really  a  theorem.  Although  it  is  not  so 
interesting  in  itself,  FLT  has  had  amazing  consequences  on  the  development  of 
number  theory,  since  it  is  in  large  part  responsible  for  the  remarkable  achieve¬ 
ments  of  algebraic  number  theorists  in  the  nineteenth  century,  and  also  as  a 
further  motivation  for  the  study  of  elliptic  curves,  thanks  to  Ribet’s  result. 


7.3.4  The  Birch  and  Swinnerton-Dyer  Conjecture 

The  other  conjecture  on  elliptic  curves  which  is  of  fundamental  importance 
was  stated  by  Birch  and  Swinnerton-Dyer  after  doing  quite  a  lot  of  computer 
calculations  on  elliptic  curves  (see  [Bir-SwDl],  [Bir-SwD2]).  For  the  remaining 
of  this  paragraph,  we  assume  that  we  are  dealing  with  a  curve  E  defined 
over  Q  and  satisfying  Conjecture  7.3.4,  for  example  a  curve  with  complex 
multiplication,  or  more  generally  a  Weil  curve.  (The  initial  computations  of 
Birch  and  Swinnerton-Dyer  were  done  on  curves  with  complex  multiplication). 

Recall  that  we  defined  in  a  purely  algebraic  way  the  rank  of  an  elliptic 
curve.  A  weak  version  of  the  Birch  and  Swinnerton-Dyer  Conjecture  (BSD)  is 
that  the  rank  is  positive  (i.e.  E(Q)  is  infinite)  if  and  only  if  L(E ,  1)  =  0.  This 
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is  quite  remarkable,  and  illustrates  the  fact  that  the  function  L(E ,  s)  which  is 
obtained  by  putting  together  local  data  for  every  prime  p,  conjecturally  gives 
information  on  global  data,  i.e.  on  the  rational  points. 

The  precise  statement  of  the  Birch  and  Swinnerton-Dyer  conjecture  is  as 
follows: 

Conjecture  7.3.9  (Birch  and  Swinnerton-Dyer).  Let  E  be  an  elliptic  curve 
overQ,  and  assume  that  Conjecture  7 .3.4  (analytic  continuation  essentially) 
is  true  for  E.  Then  if  r  is  the  rank  of  E,  the  function  L(E ,  s)  has  a  zero  of 
order  exactly  r  at  s  =  1,  and  in  addition 

lim(s-l)-’-L(E,s)  =  Sl\Ul(E/Q)\R(E/Q)\E(Q)tors\-2Y[cp, 

P 

where  VI  is  a  real  period  of  E,  R(E/Q)  is  the  so-called  regulator  of  E,  which 
is  an  rxr  determinant  formed  by  pairing  in  a  suitable  way  a  basis  of  the  non¬ 
torsion  points,  the  product  is  over  the  primes  of  bad  reduction,  Cp  are  small 
integers,  and  U1(E/Q)  is  the  so-called  Tate-Shafarevitch  group  of  E. 

It  would  carry  us  too  far  to  explain  in  detail  these  quantities.  Note  only 
that  the  only  quantity  which  is  difficult  to  compute  (in  addition  to  the  rank 
r)  is  the  Tate-Shafarevitch  group.  In  Sections  7.4  and  7.5  we  will  give  algo¬ 
rithms  to  compute  all  the  quantities  which  enter  into  this  conjecture,  except  for 
|IH(i£/Q)|  which  is  then  obtained  by  division  (the  result  must  be  an  integer, 
and  in  fact  even  a  square,  and  this  gives  a  check  on  the  computations).  More 
precisely,  Section  7.5.3  gives  algorithms  for  computing  lims_>i(s  —  l)~rL(E,  s ), 
the  quantities  and  |-F(Q)  torsi  are  computed  using  Algorithms  7.4.7  and  7.5.5, 
the  regulator  R(E/Q)  is  obtained  by  computing  a  determinant  of  height  pair¬ 
ings  of  a  basis  of  the  torsion-free  part  of  E(Q),  these  heights  being  computed 
using  Algorithms  7.5.6  and  7.5.7.  Finally,  the  Cp  are  obtained  by  using  Algo¬ 
rithm  7.5.1  if  p  >  5  and  Algorithm  7.5.2  if  p  =  2  or  3. 

Note  that  the  above  computational  descriptions  assume  that  we  know  a 
basis  of  the  torsion- free  part  of  E(Q)  and  hence,  in  particular,  the  rank  r,  and 
that  this  is  in  general  quite  difficult. 

The  reader  should  compare  Conjecture  7.3.9  with  the  corresponding  result 
for  the  O-dimensional  case,  i.e.  Theorem  4.9.12.  Dedekind’s  formula  at  s  =  0  is 
very  similar  to  the  BSD  formula,  with  the  regulator  and  torsion  points  playing 
the  same  role,  and  with  the  class  group  replaced  by  the  Tate-Shafarevitch 
group,  the  units  of  K  being  of  course  analogous  to  the  rational  points. 

Apart  from  numerous  numerical  verifications  of  BSD,  few  results  have 
been  obtained  on  BSD,  and  all  are  very  deep.  For  example,  only  in  1987  was 
it  proved  by  Rubin  and  Kolyvagin  (see  [Koll],  [Kol2],  [Rub])  that  III  is  finite 
for  certain  elliptic  curves.  The  first  result  on  BSD  was  obtained  in  1977  by 
Coates  and  Wiles  [Coa-Wil]  who  showed  that  if  E  has  complex  multiplication 
and  if  E(Q)  is  infinite,  then  L(E,  1)  =  0.  Further  results  have  been  obtained, 
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in  particular  by  Gross-Zagier,  Rubin  and  Kolyvagin  (see  [Gro-Zag2],  [GKZ], 
[Koll],  [Kol2]).  For  example,  the  following  is  now  known: 

Theorem  7.3.10.  Let  E  be  a  Weil  curve.  Then 

(1)  If  L(E,  1)  7^  0  then  r  =  0. 

(2)  If  L(E ,  1)  =  0  and  L'(E,  1)^0  then  r  =  1. 

Furthermore,  in  both  these  cases  [III |  is  finite,  and  up  to  some  simple  factors 
divides  the  conjectural  [III |  involved  in  BSD. 

The  present  status  of  BSD  is  essentially  that  very  little  is  known  when  the 
rank  is  greater  than  or  equal  to  2. 

Another  conjecture  about  the  rank  is  that  it  is  unbounded.  This  seems 
quite  plausible.  Using  a  construction  of  J.-F.  Mestre  (see  [Mes3]  and  Exercise 
9),  Nagao  has  obtained  an  infinite  family  of  curves  of  rank  greater  or  equal 
to  13  (see  [Nag]),  and  Mestre  himself  has  just  obtained  an  infinite  family  of 
curves  of  rank  greater  or  equal  to  14  (see  [Mes5]).  Furthermore,  using  Mestre’s 
construction,  several  authors  have  obtained  individual  curves  of  much  higher 
rank,  the  current  record  being  rank  22  by  Fermigier  (see  [Mes4],  [Ferl],  [Nag- 
Kou]  and  [Fer2]). 


7.4  Algorithms  for  Elliptic  Curves 

The  previous  sections  finish  up  our  survey  of  results  and  conjectures  about 
elliptic  curves.  Although  the  only  results  which  we  will  need  in  what  follows 
are  the  results  giving  the  group  law,  and  Theorems  7.2.14  and  7.2.15  giving 
basic  properties  of  curves  with  complex  multiplication,  elliptic  curves  are  a 
fascinating  field  of  study  per  se,  so  we  want  to  describe  a  number  of  algorithms 
to  work  on  them.  Most  of  the  algorithms  will  be  given  without  proof  since 
this  would  carry  us  too  far.  Note  that  these  algorithms  are  for  the  most  part 
scattered  in  the  literature,  but  others  are  part  of  the  folklore  or  are  new. 
I  am  particularly  indebted  to  J.-F.  Mestre  and  D.  Bernardi  for  many  of  the 
algorithms  of  this  section.  The  most  detailed  collection  of  algorithms  on  elliptic 
curves  can  be  found  in  the  recent  book  of  Cremona  [Cre]. 


7.4.1  Algorithms  for  Elliptic  Curves  over  C 

The  problems  that  we  want  to  solve  here  are  the  following. 

(1)  Given  and  U2,  compute  the  coefficients  <72  and  <73  of  the  Weierstrafi 
equation  of  the  corresponding  curve. 

(2)  Given  ui\  and  u>2  and  a  complex  number  z,  compute  p(z)  and  p'(z). 

(3)  Conversely  given  <72  and  <73  such  that  g%  —  Tlg\  ^  0,  compute  uj\  and  0)2 
(which  are  unique  only  up  to  an  element  of  SL/2(Z)). 
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(4)  Similarly,  given  <72 ,  <73  and  a  point  (x,  y )  on  the  corresponding  Weierstrafi 
curve,  compute  the  complex  number  2  (unique  up  to  addition  of  an  element 
of  the  period  lattice  generated  by  uj\  and  002)  such  that  x  =  p(z)  and 

V  =  p'(z)- 

If  necessary,  after  exchanging  uq  and  0J2 ,  we  may  assume  that  Im(uq  /oq )  >  0, 
i.e.  if  we  set  r  =  uq/uq  then  r  E  H.  As  usual,  we  always  set  q  =  e2i7rT,  and 
we  have  |<j|  <  1  when  r  G  H.  Then  we  have  the  following  proposition: 


Proposition  7.4.1.  We  have 


and  also 


93 


1 

216 


504  £ 

n>l 


n5qn 
l~qn  l‘ 


This  could  already  be  used  to  compute  <72  and  <73  reasonably  efficiently,  but 
it  would  be  slow  when  r  is  close  to  the  real  line.  In  this  case,  one  should  first 
find  the  complex  number  r'  belonging  to  the  fundamental  domain  T  which 
is  equivalent  to  r,  compute  Q2  and  <73  for  r7,  and  then  come  back  to  r  using 
the  (trivial)  transformation  laws  of  Q2  and  <73,  i.e.  gic(au>i  +  bu>2,  cuq  +  duq)  = 

9k{w  1,^2)  when  f  a  \  \  e  SL2(Z).  This  leads  to  the  following  algorithms. 


Algorithm  7.4.2  (Reduction).  Given  re  H,  this  algorithm  outputs  the  unique 
t '  equivalent  to  r  under  the  action  of  SL2(Z)  and  which  belongs  to  the  standard 
fundamental  domain  T,  as  well  as  the  matrix  A  e  SL2(Z)  such  that  r7  =  At. 

1.  [Initialize]  Set  A  <— 

2.  [Reduce  real  part]  Let  n  <—  [Re(r)],  r  <—  r  —  n,  A  <—  ^ 

3.  [Finished]  Set  m  <—  rf.  If  m  >  1,  output  r  and  A  and  terminate  the  algorithm. 

Otherwise  set  r  * - f/m,  anc*  S°  t0  steP  2. 

This  is  of  course  closely  related  to  the  reduction  algorithm  for  positive  def¬ 
inite  quadratic  forms  (Algorithm  5.4.2),  as  well  as  to  Gauss’s  lattice  reduction 
algorithm  in  dimension  2  (Algorithm  1.3.14). 

Warning.  The  condition  m>l  in  step  3  should  in  practice  be  implem¬ 
ented  as  m  >  1  —  e  for  some  e  >  0  depending  on  the  current  accuracy.  If  this 
precaution  is  not  taken  the  algorithm  may  loop  indefinitely,  and  the  cost  is 
simply  that  the  final  r  may  land  very  close  to  but  not  exactly  in  the  stand¬ 
ard  fundamental  domain,  and  this  has  absolutely  no  consequence  for  pract¬ 
ical  computations. 

We  can  now  give  the  algorithm  for  computing  <72  and  93- 
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Algorithm  7.4.3  (<72  and  <73).  Given  u>i  and  u> 2  generating  a  lattice  L,  this 
algorithm  computes  the  coefficients  <72  and  53  of  the  WeierstraB  equation  of  the 
elliptic  curve  C/L. 

1.  [Initialize]  If  Im(o;i/t<;2)  <  0.  exchange  cui  and  u>2-  Then  set  r  <—  u)\ju)2- 


2.  [Reduce]  Using  Algorithm  7.4.2,  find  a  matrix  A  = 


a  b 
c  d 


€  SL<2(Z)  such 


that  r'  =  At  is  in  the  fundamental  domain  T.  Set  q'  =  e2llTT' . 


3.  [Compute]  Compute  #2  and  <73  using  the  formulas  given  in  Proposition  7.4.1, 
replacing  q  by  q '  and  a>2  by  cu  1  +  duj2,  and  terminate  the  algorithm. 


Since  r'  E  we  have  Imr'  >  V3/2  hence  \q\  <  e  *v3  «  4.33  ■  10  3,  so 
the  convergence  of  the  series,  although  linear,  will  be  very  fast. 

We  can  also  use  the  power  series  expansions  to  compute  p(z)  and  p'(z): 


Proposition  7.4.4.  Set  r  =  ui/u)2  EH,  q  =  e2t7rT  and  u  =  e2lirz/w2  Then 


(1  -  qn)2 


and 


P'(z) 


2«7T  Y  "  (  1+  u  „n(  1  +  Q1lU  ,  g"  +U  \  ^ 

^2)  “Y(l-u)3  V (!  -qnu)3  "r  (qn  -u)3J  J 


Note  that  the  formula  for  p'(z)  in  the  first  printing  of  [Sil]  is  incorrect. 
As  usual,  we  must  do  reductions  of  r  and  z  before  applying  the  crude 
formulas,  and  this  gives  the  following  algorithm. 


Algorithm  7.4.5  (p(z)  and  p'{z)).  Given  tui  and  0J2  generating  a  lattice  L, 
and  z  El  C,  this  algorithm  computes  p(z)  and  p'(z). 


1.  [Initialize  and  reduce]  If  Im^i/c^)  <  0,  exchange  u>i  and  u>2-  Then  set  r  <— 

u>i /u)2 •  Using  Algorithm  7.4.2,  find  a  matrix  A  =  ^  ^  E  SL2(Z)  such 

that  At  is  in  the  the  fundamental  domain  T.  Finally,  set  r  <—  At  and  tU2  <— 
cu  1  +  dw2- 


2.  [Reduce  z]  Set  z  <—  zj l>2,  n  <—  [Im(z)/Im(r)],  z  <—  z  —  nr  and  z  <— 
z  —  [Re(z)] . 

3.  [Compute]  If  z  =  0,  output  a  message  saying  that  z  E  L.  Otherwise  compute 
p(z)  and  p'(z)  using  the  formulas  given  in  Proposition  7.4.4  (with  it  =  e2lirz 
since  we  have  already  divided  z  by  0J2)  and  terminate  the  algorithm. 
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Remark.  For  the  above  computations  it  is  more  efficient  to  use  the  formulas 
that  link  elliptic  functions  with  the  a  function,  since  the  latter  are  theta  series 
and  so  can  be  computed  efficiently.  For  reasonable  accuracy  however  (say  less 
than  100  decimal  digits)  the  above  formulas  suffice. 

We  now  consider  the  inverse  problems.  Given  g2  and  g%  defining  a  Weier- 
strafi  equation,  we  want  to  compute  a  basis  uq  and  uq  of  the  corresponding 
lattice. 

First,  recall  the  definition  of  the  Arithmetic-Geometric  Mean  (AGM)  of 
two  numbers. 

Definition  7.4.6.  Let  a  and  b  be  two  positive  real  numbers.  The  Arithmetic- 
Geometric  mean  of  a  and  b,  denoted  by  AGM(a,  b)  is  defined  as  the  common 
limit  of  the  two  sequences  an  and  bn  defined  by  oq  =  a,  bo  =  b,  an+i  = 
(tt n  "f”  6jx)/2  and  —  ‘s/^nbn. 


It  is  an  easy  exercise  to  show  that  these  sequences  converge  and  that  they 
have  a  common  limit  AGM(a,  b)  (see  Exercise  10).  It  can  also  be  proved  quite 
easily  that 


7T 

2  AGM(a,  b) 


r/2 _ dt _ 

-'0  a2  cos2  t  +  b2  sin2 1 


(see  Exercise  11)  and  this  can  easily  be  transformed  into  an  elliptic  integral, 
which  explains  the  relevance  of  the  AGM  to  our  problems.  For  many  more 
details  on  the  AGM,  I  refer  to  the  marvelous  book  of  Borwein  and  Borwein 
[Bor-Bor] . 

Apart  from  their  relevance  to  elliptic  integrals,  the  fundamental  property 
of  the  AGM  sequences  an  and  bn  is  that  they  converge  quadratically,  i.e.  the 
number  of  significant  decimals  approximately  doubles  with  each  iteration  (see 
Exercise  10).  For  example,  there  exists  AGM-related  methods  for  computing  7r 
to  high  precision  (see  again  [Bor-Bor]),  and  since  220  >  106  only  20  iterations 
are  needed  to  compute  1000000  decimals  of  7r! 

The  AGM  can  also  be  considered  when  a  and  b  are  not  positive  real 
numbers  but  are  arbitrary  complex  numbers.  Here  the  situation  is  more  com¬ 
plicated,  but  can  be  summarized  as  follows.  At  each  stage  of  the  iteration,  we 
must  choose  some  square  root  of  anbn.  Assume  that  for  n  sufficiently  large  the 
same  branch  of  the  square  root  is  taken  (for  example  the  principal  branch,  but 
it  can  be  any  other  branch).  Then  the  sequences  again  converge  quadratically 
to  the  same  limit,  but  this  limit  of  course  now  depends  on  the  choices  made 
for  the  square  roots.  In  addition,  the  set  of  values  of  7r/  AGM(a,  b)  (where  now 
AGM(a,  6)  has  infinitely  many  values)  together  with  0  form  a  lattice  L  in  C. 
The  precise  link  with  elliptic  curves  is  as  follows.  Let  ei,  e2,  e$  be  the  three 
complex  roots  of  the  polynomial  4x3  —  g2X  —  <73  such  that  y2  =  4x3  —  g2X  —  <73 
defines  an  elliptic  curve  E.  Then,  when  the  AGM  runs  through  all  its  pos¬ 
sible  determinations  7r/ AGM(i/ei  —  e 3,  yje  1  —  e2)  gives  all  the  lattice  points 
(except  0)  of  the  lattice  L  such  that  E  ~  C/L. 
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We  however  will  usually  use  the  AGM  over  the  positive  real  numbers, 
where  it  is  single-valued,  since  the  elliptic  curves  that  we  will  mainly  consider 
are  defined  over  R,  and  even  over  Q.  In  this  case,  the  following  algorithm 
gives  a  basis  of  the  period  lattice  L.  Since  our  curves  will  usually  be  given  by 
a  generalized  Weierstrafi  equation  y2  +  a\xy  +  <23 y  =  x3  +  a,2X2  +  a±x  + 
instead  of  the  simpler  equation  Y 2  =  AX3  —  g^X  —  <73,  we  give  the  algorithm 
in  that  context. 

Algorithm  7.4.7  (Periods  of  an  Elliptic  Curve  over  R).  Given  real  numbers 
ai, . . .  ,a6,  this  algorithm  computes  the  basis  (uq,u> 2)  of  the  period  lattice  of  E 
such  that  &2  is  a  positive  real  number  and  u> i/u>2  has  positive  imaginary  part  and 
a  real  part  equal  to  0  or  —1/2. 

1.  [Initialize]  Using  Formulas  (7.1),  compute  62,  64,  b 6  and  A,  and  if  A<0  go 
to  step  3. 

2.  [Disconnected  case]  Let  e\,  e2  and  e3  be  the  three  real  roots  of  the  poly¬ 
nomial  4x3  +  b2X2  +  2biX  +  be  =  0  with  ei  >  e2  >  e$.  Set  u>2  <— 
7r/AGM(y'ei  —  e3,  yje  1  —  e2),  u>i  <—  nr/AGM^ei  —  e3,  y/e2  —  e3)  and  ter¬ 
minate  the  algorithm. 

3.  [Connected  case]  Let  e\  be  the  unique  real  root  of  4x3  +  62 x2  +  264#  + 
&6  =  0.  Set  a  <—  3ei  +  62/^  and  b  <—  ^Se2  +  (&2/2)ei  +  64/2.  Then  set 

CO2  * —  27 x f  AGM(2\/6,  y/2b  -I-"- o),  cui  < - 1U2/2  -F  vk  j AGM(2\/6,  y/2 b  — ~cl)  and 

terminate  the  algorithm. 

Note  that  the  “real  period”  Q  occurring  in  the  Birch  and  Swinnerton-Dyer 
conjecture  7.3.9  is  2^2  when  A  >  0,  and  0J2  otherwise,  and  that  U1/0J2  is  not 
necessarily  in  the  standard  fundamental  domain  for  Ji/  SL^Z). 

Finally,  we  need  an  algorithm  to  compute  the  functional  inverse  of  the  p 
function. 

The  Weierstrafi  parametrization  (p(z)  :  pf(z)  :  1)  can  be  seen  as  an  expo¬ 
nential  morphism  from  the  universal  covering  C  of  E(C).  It  can  be  considered 
as  the  composition  of  three  maps: 

C  — ►  C*  — ►  €  */qz  — ►  E(C) 

z  1 — >  u  =  e2l7rz/a’2  ^  u  moci  g,z  ^  (p(z),  p'(z )) , 

the  last  one  being  an  isomorphism.  Its  functional  inverse,  which  we  can  natu¬ 
rally  call  the  elliptic  logarithm,  is  thus  a  multi-valued  function.  In  fact,  Algo¬ 
rithm  7.4.7  can  be  extended  so  as  to  find  the  inverse  image  of  a  given  point. 
Since  square  roots  occur,  this  give  rise  to  the  same  indeterminacy  as  before, 
i.e.  the  point  z  is  defined  only  up  to  addition  of  a  point  of  the  period  lattice 
L.  As  in  the  previous  algorithm,  taking  the  positive  square  root  in  the  real 
case  gives  directly  the  unique  u  such  that  |g|  <  |u|  <  1.  We  will  therefore  only 
give  the  description  for  a  real  point. 


7.4  Algorithms  for  Elliptic  Curves 


399 


Algorithm  7.4.8  (Elliptic  Logarithm).  Given  real  numbers  ai, . . ae  defining 
a  generalized  WeierstraB  equation  for  an  elliptic  curve  E  and  a  point  P  =  (x,y) 
on  E( R),  this  algorithm  computes  the  unique  complex  number  z  such  that 
p(z)  =  x  +  62/12  and  p'{z)  =  2y  +  aix  +  a^,  where  p  is  the  WeierstraB  function 
corresponding  to  the  period  lattice  of  E,  and  which  satisfies  the  following  addi¬ 
tional  conditions.  Either  z  is  real  and  0  <  z  <  u>2,  or  A  >  0,  z  —  u>i/2  is  real  and 
satisfies  0  <  z  —  wi/2  <  u>2. 

1.  [Initialize]  Using  Formulas  (7.1),  compute  62,  64,  be  and  A.  If  A  <  0  go  to 
step  6. 

2.  [Disconnected  case]  Let  ei,  e2  and  e$  be  the  three  real  roots  of  the  polynomial 
4x3  +  &2^2  +  2&4X  +  be  =  0  with  e\  >  e2  >  e 3.  Set  a  <—  y/e\  —  e$  and  b  <— 
y/e\—  62 .  If  x  <  e\  set  /  <—  1,  A  <—  y/{x—e 3)  and  x  <—  A2+aiA— 0,2— x— e$, 
otherwise  set  /  <—  0.  Finally,  set  c  <—  y/x  —  e3. 

3.  [Loop]  Repeat  (a,b,c)  <—  ((a  +  6)/2,  \/a6,  (c  +  y/c2  +  b2  —  a2)/2)  until  the 
difference  a  —  6  is  sufficiently  small. 

4.  [Connected  component]  If  /  =  0  and  2 y  +  a\x  +  0,3  <  0  or  /  =  1  and  2 y  + 
aix+  ae  >  0  set  z  <—  arcsin(a/c)/a.  Otherwise  set  z  <—  (7r—  arcsin(a/c))/a. 
If  /  =  0  output  z  and  terminate  the  algorithm. 

5.  [Other  component]  Compute  u;i  <—  nr/  AGM(-v/ei  —  e 3,  —  e 3)  as  in  Al¬ 

gorithm  7.4.7  (unless  of  course  this  has  already  been  done).  Output  z  +  cui/2 
and  terminate  the  algorithm. 

6.  [Connected  case]  Let  e\  be  the  unique  real  root  of  4x3+  b2X2  +  2&4#  +  &6  =  0. 
Set  P  <—  i/3e2  +  (&2/2)ei  +  b^/2,  a  <—  3ei  +  62/4,  a  <—  2 y/P,  b  <—  y/a  +  2 P 
and  c  <—  (x  —  e  1  +  P)/y/x  —  e\. 

7.  [Loop]  Repeat  (a,b,c)  <—  ((a  +  &)/2,  -\/a6,  (c  +  Vc2  +  62  —  a2)/2)  until  the 
difference  a  —  b  is  sufficiently  small. 

8.  [Terminate]  If  (2 y  +  a\x  +  ae)((x  —  ei)2  —  p2)  <  0,  set  z  <—  arcsin(a/c)/a 
otherwise  set  z  <—  (7r  — arcsin(a/c))/a.  If  2y  +  aix  +  a3  >  0,  set  z  <—  z  +  7r/a. 
Output  z  and  terminate  the  algorithm. 

Note  that  we  could  have  avoided  the  extra  AGM  in  step  5,  but  this  would 
have  necessitated  using  the  complex  AGM  and  arcsin.  Hence,  it  is  simpler  to 
proceed  as  above.  In  addition,  in  practice  uj\  will  have  already  been  computed 
previously  and  so  there  is  not  really  any  extra  AGM  to  compute. 


7.4.2  Algorithm  for  Reducing  a  General  Cubic 

The  problem  that  we  want  to  solve  here  is  the  following.  Given  a  general 
non-singular  irreducible  projective  plane  cubic  over  an  arbitrary  field  K,  say 

S1U3  +  s2U2V  +  s3UV2  +  s,V3 

+  (S3U2  +  s$UV  +  s7V2)W  +  (ssU  +  s9V)W 2  +  Sl0lV3  , 
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where  (U  :  V  :  W)  are  the  projective  coordinates,  and  a  iC-rational  point 
Pq  =  (uq  :  vq  :  wo)  on  the  curve,  find  a  birational  transformation  which 
transforms  this  into  a  generalized  Weierstrafi  equation. 

We  will  explain  how  to  do  this  in  the  generic  situation  (i.e.  assuming  that 
no  expression  vanishes,  that  our  points  are  in  general  position,  etc  . . .),  and 
then  give  the  algorithm  in  general.  We  also  assume  for  simplicity  that  our  field 
is  of  characteristic  different  from  2. 

We  first  make  a  couple  of  reductions.  Since  the  curve  is  non-singular,  its 
partial  derivatives  with  respect  to  U  and  V  cannot  vanish  simultaneously 
on  the  curve.  Hence,  by  exchanging  if  necessary  U  and  V,  we  may  assume 
that  it  is  the  derivative  with  respect  to  V  at  Pq  which  is  different  from  zero. 
Consider  now  the  tangent  at  Po  to  the  curve.  This  tangent  will  then  have 
a  (rational)  slope  A,  and  intersects  the  curve  in  a  unique  third  point  which 
we  will  call  P\  =  (tti  :  v\  :  w\).  After  making  the  change  of  coordinates 
(U' ,  V')  =  ( U —  ui,  V  —  vi)  we  may  assume  that  Pi  has  coordinates  (0:0:  1), 
i.e.  is  at  the  origin,  or  in  other  words  that  the  new  value  of  Sio  is  equal  to 
zero.  We  now  have  the  following  theorem  (for  simplicity  we  state  everything 
with  affine  coordinates,  but  the  conversion  to  projective  coordinates  is  easy 
to  make). 


Theorem  7.4.9.  We  keep  the  above  notations  and  reductions.  Call  Cj(U,V ) 
the  coefficient  of  degree  W3~i  in  the  equation  of  the  curve  (so  that  Cj  is  a 
homogeneous  polynomial  of  degree  j ),  and  set 

d(U,  V)  =  c2{U,  V )2  -  4 a(U,  V)c3(U,  V) . 

Furthermore,  if  A  is  the  slope  of  the  tangent  at  Po  as  defined  above,  set 

d(U ,  XU  +  1)  =  AUA  +  BU 3  +  CU2  +  DU +  E. 

Then 


(1)  We  have  A  =  0  and  B  ^  0. 

(2)  The  transformation 


X  = 
Y  = 


BU 

V-XU 

B 

(V-XU)2 


(2c3(U,V)  +  c2(U,V)) 


is  a  birational  transformation  whose  inverse  is  given  by 


„_vBY-c2(X,XX  +  B) 

“  “  2c3[X,\X  +  B) 

v-nr  .  mBY-c2(X,XX  +  B) 

V-(\X  +  B)  2C3{X<XX  +  B)  ■ 

(3)  This  birational  map  transforms  the  equation  of  the  curve  into  the  Weier¬ 
strafi  equation 


Y2=X3  +  CX2  +  BDX  +  B2E. 
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Proof.  The  line  V  =  XU  is  the  new  equation  of  the  tangent  at  Po  that  we 
started  from.  This  means  that  it  is  tangent  to  the  curve.  Solving  for  U,  one 
has  the  trivial  solution  U  =  0  corresponding  to  the  point  Pi,  and  the  two 
other  roots  must  be  equal.  In  other  words  we  must  have  d(l,  A)  =  0,  since  this 
is  the  discriminant  of  the  quadratic  equation.  Since  clearly  A  =  d{  1,A),  this 
shows  that  A  =  0. 

Now  solving  for  the  double  root,  we  see  that  the  coordinates  of  Po  (in  the 
new  coordinate  system  of  course)  are  (a,  Acn),  where  we  set 

c2(1,A) 

2c3(1,  A) 

Now  I  claim  that  we  have  the  equalities 

B  =  A)  =  -4c3(!>  A“) - 


where  f(U,V)  =  0  is  the  (affine)  equation  of  the  curve.  Assuming  this  for  a 
moment,  this  last  partial  derivative  is  the  partial  derivative  of  /  with  respect 
to  V  at  the  point  Po,  hence  is  different  from  zero  by  the  first  reduction  made 
above.  Furthermore,  c3(l,  A)  7^  0  also  since  otherwise  Po  would  be  at  infinity 
and  we  have  assumed  (for  the  moment)  that  Po  is  in  general  position.  This 
shows  that  B  ^  0  and  hence  the  first  part  of  the  theorem.  To  prove  my 
claim,  note  that  the  first  equality  is  trivial.  For  the  second,  let  us  temporarily 

Qq  . 

abbreviate  Cj(  1,A)  to  Cj  and  -^-(1,  A)  to  c'-.  Then  by  homogeneity,  one  sees 
immediately  that 


df  ^  ^ ,  4c'3  -  2 c2czc'2  +  4ci 4 

dy{a,Xa)-  4c2 

We  know  that  A  =  c|— 4cic3  =  0  (and  this  can  be  checked  once  again  explicitly 
if  desired).  Therefore  we  can  replace  c\  by  4cic3,  thus  giving 


3/ 

dV 


(a,  Xa) 


4C1C3  +  4  CiC3  —  2C2C2 
4c3 


and  the  claim  follows  by  differentiating  the  formula  d,  =  —  4cic3. 

By  simple  replacement,  one  sees  immediately  that,  since  B  ^  0,  the  maps 
(U,  V )  — >  ( X ,  Y)  and  ( X ,  Y)  — ►  (U,  V )  are  inverse  to  one  another,  hence  the 
second  part  is  clear. 

For  the  last  part,  we  simply  replace  U  and  V  by  their  expressions  in  terms 
of  X  and  Y.  We  can  multiply  by  c3(X,  A X+B)  (which  is  not  identically  zero), 
and  we  can  also  simplify  the  resulting  equation  by  BY  —  C2(X,  XX  +  B)  since 
B  is  different  from  zero  and  the  curve  is  irreducible  (why?).  After  expanding 
and  simplifying  we  obtain  the  equation 
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B2Y2  =  d(X,\X  +  B). 

Now  since  d(U,  V )  is  a  homogeneous  polynomial  of  degree  4,  one  sees  imme¬ 
diately  that 


d(X,  XX  +  B)  =  B2X 3  +  CB2X 2  +  DB3X  +  EBA , 
thus  finishing  the  proof  of  the  theorem.  □ 

It  is  now  easy  to  generalize  this  theorem  to  the  case  where  the  point  Pq 
is  not  in  general  position,  and  this  leads  to  the  following  algorithm,  which  we 
give  in  projective  coordinates. 

Algorithm  7.4.10  (Reduction  of  a  General  Cubic).  Let  K  be  a  field  of 
characteristic  different  from  2,  and  let  f(U,V,W )  =  0  be  the  equation  of  a 
general  cubic,  where 

f(U,  V,  W)  =  sit/3  +  s2U2V  +  s3UV 2  +  s4V3 

+  (saU2  +  s6UV  +  s7V2)W  +  (saV  +  s9V)W 2  +  s10M"3. 

Finally,  let  Pq  =  ( Uq  :  vq  :  w q)  be  a  point  on  the  cubic,  i.e.  such  that 
f(uo,vo,wo)  =  0.  This  algorithm,  either  outputs  a  message  saying  that  the  curve 
is  singular  or  reducible,  or  else  gives  a  WeierstraB  equation  for  the  curve  and  a 
pair  of  inverse  birational  maps  which  transform  one  equation  into  the  other.  We 
will  call  (X  :  Y  :  T)  the  new  projective  coordinates,  and  continue  to  call  s*  the 
coefficients  of  the  transformed  equation  g  during  the  algorithm. 

1.  [Initialize]  Set  (mi,  m2,  m3)  <—  ( U,V,W ),  (711,722,713)  <—  ( X,Y,T )  and  g  <— 
/.  (Here  (mi  :  m2  :  m3)(U,V,W)  and  (ni  : 722  :  ri3)(X,Y,T)  will  be  the  pair 
of  inverse  birational  maps.  The  assignments  given  in  this  algorithm  for  these 
maps  and  for  g  are  formal,  i.e.  we  assign  polynomials  or  rational  functions, 
not  values.  In  addition,  it  is  understood  that  the  modifications  of  g  imply  the 
modifications  of  the  coefficients  s*.) 

2.  [Send  Pq  to  (0  :  0  :  1)]  If  7^  0,  set  (mi,  m2,  m3)  <—  (wo772i—  Uq  m3,  wq  m2  — 
v0m3, iy0m3),  (721,722,723)  <-  (u>o72i  +  UQn3,WQn2  +  770723,^0^3).  g  <— 
g(woU  +  uqW,wqV  +  vqW,wqW)  and  go  to  step  3.  Otherwise,  if  uq  ^  0,  set 
(mi, m2, m3)  <—  (uom3,w0m2  —  wo7ni,uomi),  (221,722,723)  <—  (uQn3,uon2  + 
77o723,  uo22i),  <7  <—  g(uoW,  uqV  +  vqW,uqU)  and  go  to  step  3.  Finally,  if 
777o  =  wo  =  0  (hence  t;o  ^  0),  exchange  m2  and  m3,  722  and  723,  and  set 
g^g(U,W,V). 

3.  [Exchange  U  and  V?]  (Here  sio  =  0).  If  s8  =  sg  =  0,  output  a  message 
saying  that  the  curve  is  singular  at  Pq  and  terminate  the  algorithm.  Otherwise, 
if  sg  =  0,  exchange  mi  and  m2,  n  1  and  722,  and  set  g  <—  g(V,  U,  W). 

4.  [Send  Pi  to  (0  :  0  :  1)]  (Here  sg  ±  0.)  Set  A  <—  (— ss/sg),  C2  <—  S7A2+S6^+S5. 

C3  +—  S4A3  +  S3X2  +  S2A  +  si.  Then,  if  C3  ^  0,  set  (mi,  m2, m3)  <—  (037721  + 
C2 7T23 ,  C3 m2  +  Ac2 m3 ,  C3 m3 ) ,  (721,722,723)  (C37I1  -C2723,C3722-AC2723,C3723), 
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9  *—  9{c3U  —  C2 W,  c$V  —  \c2W,czW)  and  go  to  step  5.  Otherwise,  if  C2  =  0 
output  a  message  saying  that  the  curve  is  reducible  and  terminate  the  algo¬ 
rithm.  Finally,  if  c$  =  0  and  C2  0,  set  (mi,  m2, m3)  <—  (m3,  m2  —  Ami,  mi), 
(711,712,713)  <—  (713,712  + Ati3,71i)  and  g  <—  g{W,  V+  AW,  U),  then  set  A  <—  0. 

5.  [Apply  theorem]  (Here  we  are  finally  in  the  situation  of  the  theorem.)  Let 
as  in  the  theorem  Cj(U,V)  be  the  coefficient  of  W3-J  in  g(U,V,W),  and 
d{U,V)  c2{U,V)2  -  4Cl(U,V)c3(U,V).  Compute  B,  C,  D  and  E  such 
that  d{U ,  XU  +  1)  =  BU 3  +  CU2  +  DU  +  E.  Then  set 

(mi,  m2, m3)  <—  (5mi(m2  —  Ami)m3, 

B(2c3(mi,m2)  +  c2(mi,m2)m3),  (m2  -  Ami)2m3), 


(711, 7i2, ti3)  «-  (711(5712^3  -  c2(tii,  Atii  +  Bn3)), 

(Xni  +  Bn3){Bn2n3  —  02(711,  Ani  +  Bn3)),2c3{nu\n\  +  Bn3)). 

Output  the  maps  (X,y,T)  <—  (mi,  m2,  m3)  and  (U,V,  W)  (711,712,713), 
the  projective  WeierstraB  equation 

y2r  =x3+  cx2t  +  dbxt 2  +  ££2t3 

and  terminate  the  algorithm. 


7.4.3  Algorithms  for  Elliptic  Curves  over  Fp 

The  only  algorithms  which  we  will  need  here  are  algorithms  which  count  the 
number  of  points  of  an  elliptic  curve  over  Fp,  or  equivalently  the  numbers  ap 
such  that  |£(FP)|  =  p  +  1  —  ap.  We  first  describe  the  naive  algorithm  which 
expresses  ap  as  a  sum  of  Legendre  symbols,  then  give  a  much  faster  algorithm 
using  Shanks’s  baby-step  giant-step  method  and  a  trick  of  Mestre. 

Counting  the  number  of  points  over  F2  or  F3  is  trivial,  so  we  assume  that 
p  >  5.  In  particular,  we  may  simplify  the  WeierstraB  equation,  i.e.  assume  that 
ai  =  02  =  03  =  0,  so  the  equation  of  the  curve  is  of  the  form  y 2  =  x3  +  ax  +  b. 
The  curve  has  one  point  at  infinity  (0:1:0),  and  then  for  every  x  £  Fp,  there 
are  1  +  (x3+°a:+b)  values  of  y.  Hence  we  have  Np  —  p  +  l  +  (; *3+ax+b ), 

thus  giving  the  formula 


aP — — y! 

zeFo 


'x3  +  ax  +  6N 
<  P 


This  formula  gives  a  0(p1+0^)  time  algorithm  for  computing  ap,  and  this  is 
reasonable  when  p  does  not  exceed  10000,  say. 

However  we  can  use  Shanks’s  baby  step-giant  step  method  to  obtain  a 
much  better  algorithm.  By  Hasse’s  theorem,  we  know  that  p  +  1  —  2 y/p  < 
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Np  <  p  +  1  4-  2 y/p,  hence  we  can  apply  Algorithm  5.4.1  with  C  =  p  4- 1  — 
2  y/p  and  B  =  p  +  1  +  2^/p.  This  will  give  an  algorithm  which  runs  in  time 
(B  —  C)1/2^  =  and  so  will  be  much  faster  for  large  p.  Now  the 

reader  will  recall  that  one  problem  with  Shanks’s  method  is  that  if  our  group 
is  not  cyclic,  or  if  we  do  not  start  with  a  generator  of  the  group,  we  need  to 
do  some  extra  work  which  is  not  so  easy  to  implement.  There  is  a  nice  trick 
due,  I  believe  to  Mestre,  which  tells  us  how  to  do  this  extra  work  in  a  very 
simple  manner. 

If  one  considers  all  the  curves  over  Fp  defined  by  y2  =  x3  +  ad2x  +  bd3  with 
d  /  0,  then  there  are  exactly  two  isomorphism  classes  of  such  curves:  those 
for  which  (^)  =  1  are  all  isomorphic  to  the  initial  curve  correspond  to  d  =  1, 

and  those  for  which  (^)  =  —1  are  also  all  isomorphic,  but  to  another  curve. 
Call  E'  one  of  these  other  curves.  Then  one  has  the  following  proposition. 

Proposition  7.4.11.  Let 

E{¥p)  ~  Z/dxZ  x  Z/d2Z  and  E’{WP)  ~  Z/d^Z  x  Z/d'2Z 

be  the  Abelian  group  structures  of  E(WP)  and  E'(¥p)  respectively,  with  d\  |  d2 
and  d[  \  d'2  (see  Proposition  7.1.9).  Then  for  p  >  457  we  have 

max(d2,d2)  >  4 y/p  . 


This  proposition  shows  that  on  at  least  one  of  the  two  curves  E  or  E' 
there  will  be  points  of  order  greater  than  4 yjp,  hence  according  to  Hasse’s 
theorem,  sufficiently  large  so  as  to  obtain  the  cardinality  of  E(¥p)  (or  of 
E'(¥p))  immediately  using  Shanks’s  baby-step  giant-step  method.  In  addition, 
since  each  value  of  x  gives  either  two  points  on  one  of  the  curves  and  none 
on  the  other,  or  one  on  each,  it  is  clear  that  if  |.E(FP)|  =  p  +  1  —  ap,  we  have 
| J57'(Fp)  |  =  p  +  1  +  ap,  so  computing  one  value  gives  immediately  the  other 
one. 

This  leads  to  the  following  algorithm. 

Algorithm  7.4.12  (Shanks- Mestre).  Given  an  elliptic  curve  E  over  Fp  with 
p  >  457  by  a  WeierstraB  equation  y2  =  x3  +  ax  +  b,  this  algorithm  computes  the 
ap  such  that  ^(Fp)!  =  p  +  1  —  ap. 

1.  [Initialize]  Set  x  * - 1,  A  <—  0,  B  <—  1,  k\  =  0. 

2.  [Get  next  point]  (Here  we  have  |i£(Fp)|  =  A  (mod  B )).  Repeat  x  <—  x  +  1, 

d  x3  +  ax  +  b,  k  <—  (|)  until  k  ^  0  and  k  ^  k\.  Set  k\  <—  k.  Finally,  if 

ki  =  —  1  set  A\  *—  2p  +  2  —  A  mod  B  else  set  A\  <—  A. 

3.  [Find  multiple  of  the  order  of  a  point]  Let  m  be  the  smallest  integer  such  that 
m  >  p+ 1  —  2^/p  and  m  =  A\  (mod  B).  Using  Shanks's  baby-step  giant-step 
strategy,  find  an  integer  n  such  that  m<n<p+l  +  2  y/p,  n  =  m  (mod  B) 


7.4  Algorithms  for  Elliptic  Curves 


405 


and  such  that  n  •  (xd,  d 2)  =  0  on  the  curve  Y2  =  X3  +  ad2X  +  bd3  (note  that 
this  will  be  isomorphic  to  the  curve  E  or  E'  according  to  the  sign  of  ki). 

4.  [Find  order]  Factor  n,  and  deduce  from  this  the  exact  order  h  of  the  point 
(xd,d2). 

5.  [Finished?]  Using  for  instance  the  Chinese  remainder  algorithm,  find  the  small¬ 
est  integer  h!  which  is  a  multiple  of  h  and  such  that  h!  =  A\  (mod  B). 
If  b!  <  Ay/p  set  B  <—  LCM(B,h),  then  A  <—  h!  mod  B  if  k\  =  l, 
A  <—  2p  +  2  —  h!  mod  B  if  ki  =  —l,  and  go  to  step  2. 

6.  [Compute  ap]  Let  N  be  the  unique  multiple  of  h!  such  that  p  +  1  —  2^/p  < 
N  <  p  +  1+  2 y/p.  Output  ap  =  p  +  1  —  kiN  and  terminate  the  algorithm. 

The  running  time  of  this  algorithm  is  0(p1/,4+e)  for  any  e  >  0,  but  it  is 
much  easier  to  implement  than  the  algorithm  for  class  numbers  because  of 
the  simpler  group  structure.  It  should  be  used  instead  of  the  algorithm  using 
Legendre  symbols  as  soon  as  p  is  greater  than  457.  Note  that  one  can  prove 
that  457  is  best  possible,  but  it  is  easy  to  modify  slightly  the  algorithm  so 
that  it  works  for  much  lower  values  of  p. 

Note  also  that,  as  in  the  case  of  class  groups  of  quadratic  fields,  we  can 
use  the  fact  that  the  inverse  of  a  point  is  trivial  to  compute,  and  hence  enlarge 
by  a  factor  y/2  the  size  of  the  giant  steps.  In  other  words,  in  step  3  the  size  of 
the  giant  steps  should  be  taken  equal  to  the  integer  part  of  y/2 y/p/B. 

Another  algorithm  for  computing  ap  has  been  discovered  by  R.  Schoof 
([Scho]).  What  is  remarkable  about  it  is  that  it  is  a  polynomial  time  algorithm, 
more  precisely  it  runs  in  time  0(ln8  p).  The  initial  version  did  not  seem  to  be 
very  useful  in  practice,  but  a  lot  of  progress  has  been  done  since. 

Schoof’s  idea,  which  we  will  not  explain  in  detail  here,  is  to  use  the  divi¬ 
sion  polynomials  for  the  Weierstrafi  p  function,  i.e.  polynomials  which  express 
p(nz)  and  p'{nz)  in  terms  of  p(z)  and  p'(z)  for  integer  n  (in  fact  a  prime  num¬ 
ber  n).  This  gives  congruences  for  the  ap,  and  using  the  Chinese  remainder 
theorem  we  can  glue  together  these  congruences  to  compute  the  ap. 

An  interesting  blend  of  the  baby-step  giant-step  algorithm  and  Schoof’s 
algorithm  is  to  compute  Schoof-type  congruences  for  ap  modulo  a  few  primes 
l.  If  for  example  we  find  the  congruences  modulo  2,  3  and  5,  we  can  divide 
the  search  interval  by  30  in  the  algorithm  above,  and  hence  this  allows  the 
treatment  of  larger  primes. 

The  main  practical  problem  with  Schoof’s  idea  is  that  the  equations  giving 
the  division  polynomials  are  of  degree  (n2  —  l)/2,  and  this  becomes  very 
difficult  to  handle  as  soon  as  n  is  a  little  large. 

Recently  N.  Elkies  has  been  able  to  show  that  for  approximately  one  half 
of  the  primes  n,  this  degree  can  be  reduced  to  n  +  1,  which  is  much  more 
manageable.  J.-M.  Couveignes  has  also  shown  how  to  use  n  which  are  powers 
of  small  primes  and  not  only  primes. 
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Combining  all  these  ideas,  Morain  and  Lercier  (Internet  announcement) 
have  been  able  to  deal  with  a  500-digit  prime,  which  is  the  current  record  at 
the  time  of  this  writing. 


7.5  Algorithms  for  Elliptic  Curves  over  Q 

7.5.1  Tate’s  algorithm 

Given  an  elliptic  curve  E  defined  over  Q,  using  Algorithm  7.4.10  we  can  assume 
that  E  is  given  by  a  generalized  Weierstrafi  equation  y2  +  a\xy  +  a$y  = 
x 3  +  CL2X2  +  atx  +  a6  with  coefficients  in  Q.  We  would  first  like  to  find  a 
global  minimal  Weierstrafi  equation  of  E  (see  [Sil],  [LN476]  and  Algorithm 
7.5.3  for  the  precise  definitions).  This  will  be  a  canonical  way  of  representing 
the  curve  E  since  this  equation  exists  and  is  unique.  (As  already  remarked, 
it  is  essential  at  this  point  that  we  work  over  Q  and  not  over  an  arbitrary 
number  field.)  Note  that  this  is  a  major  difference  with  the  case  of  equations 
defining  number  fields,  where  no  really  canonical  equation  for  the  field  can  be 
found,  but  only  partial  approaches  such  as  the  pseudo-canonical  polynomial 
given  by  Algorithm  4.4.12.  In  addition,  it  is  necessary  to  know  this  minimal 
equation  for  several  other  algorithms. 

Two  elliptic  curves  with  different  parameters  may  be  isomorphic  over  Q. 
Such  an  isomorphism  must  be  given  by  transformations  x  =  u2x'  +  r,  y  = 
u3y'  +  su2x'  + 1,  where  u  6  Q*,  r,  s,t  6  Q.  We  obtain  a  new  model  for  the 
same  elliptic  curve.  Using  the  same  quantities  as  those  used  in  Formulas  (7.1), 
the  parameters  of  the  new  model  are  given  by 


ua1  =  ai  +  2s,  u  a2  =  «2  —  sa  1  +3 r  —  s 
u3a'z  =  03  +  rai  +  2 1 

uAa'4  =  <24  —  sa  3  +  2ra2  —  (t  +  rs)ai  +  3  r2  —  2  st 
u6a'6  =  a6  +  ra  4  +  r2a  2  +  r3  —  ta  3  —t2  —  rta  1 
u2  b'2  =  62  +  12r,  u4b±  =  64  +  r&2  +  6r2 
u6b'6  =  &6  +  2r&4  +  r2&2  +  4r3 
u8b'8  =  bg  +  3  rbe  +  3r2&4  +  r3&2  +  3  r4 
U4c'4  =  C4,  U6Cq  =  C6,  u12A'  =  A,  j'=j,  u_V 

Using  these  formulas,  we  may  now  assume  that  the  coefficients  of  the  equa¬ 
tions  are  integers.  We  will  make  this  assumption  from  now  on.  We  first  want 
to  find  a  model  for  E  which  is  minimal  with  respect  to  a  given  prime  p,  and  we 
also  want  to  know  the  type  of  the  fiber  at  p  of  the  elliptic  pencil  defined  by  E 
over  Z  (see  [Sil],  [LN476]).  The  possible  types  are  described  by  symbols  known 
as  Kodaira  types.  They  are  70, //,///,  JU,  Jq,/*, II* , III*, IV*,  where  v 


(7.2) 


=  LJ. 
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is  a  positive  integer.  We  need  also  to  compute  the  coefficient  Cp  which  appears 
in  the  formulation  of  the  Birch  and  Swinnerton-Dyer  Conjecture  7.3.9,  that 
is,  the  index  in  E(QP)  of  the  group  E°(QP)  of  points  which  do  not  reduce  to 
the  singular  point. 

The  following  algorithm  is  due  to  Tate  (cf  [LN476]).  We  specialize  his 
description  to  the  case  of  rational  integers.  The  situation  is  a  bit  simpler 
when  the  prime  p  is  greater  than  3,  so  let  us  start  with  that  case. 

Algorithm  7.5.1  (Reduction  of  an  Elliptic  Curve  Modulo  p).  Given  integers 
ai,...,a6  and  a  prime  p  >  3,  this  algorithm  determines  the  Kodaira  symbol 
associated  with  the  curve  modulo  p.  In  addition,  it  computes  the  exponent  /  of 
p  in  the  arithmetic  conductor  of  the  curve,  the  index  c  =  [-E(Qp)  :  E^Qp]  and 
integers  u,r,  s,t  such  that  a[, . . .  ,a'6  linked  to  ai, . . .  ,ae  via  Formulas  (7.2)  give 
a  model  with  the  smallest  possible  power  of  p  in  its  discriminant. 

1.  [Initialize]  Compute  C4,C6,A  and  j  using  Formulas  (7.1).  If  vp(j)  <  0  set 
k  <—  vp(A)  4-  vp(j)  else  set  k  <—  vp(A). 

2.  [Minimal?]  If  k  <  12  set  u  <—  1,  r  <—  0,  s  <—  0,  and  t  <—  0.  Otherwise,  set 

u  <—  pLfc/12.l ;  if  a\  is  odd  then  set  s  <—  (u  —  ai)/2  else  set  s  < - ai/2.  bet 

a2  <—  a2  —  sa i  —  s2.  Set  r  < - o!2/Z,  (u2—  a'2)/ 3  or  (—  u2  —  a'2)/3  depending 

on  a2  being  congruent  to  0,  1  or  -1  modulo  3.  Set  a3  4—  03  +  rai.  If  a3  is 

odd,  then  set  t  4—  (u3  —  a3)/2  else  set  t  * - o!3/2.  Finally,  set  k  4—  k  mod  12, 

A  4—  A/u12,  C4  4—  C4/U4  and  cq  4—  cq/u&. 

3.  [Non-integral  invariant]  If  vp(j)  <  0,  then  set  v  4 - vp(j).  k  must  be  equal 

to  0  or  6.  If  k  =  0,  set  /  <—  1,  and  set  c  4—  u  if  (z^£)  =  1  or  c  4—  gcd(2,  v) 
if  (~^&)  =  —1,  then  output  Kodaira  type  Iu.  If  k  —  6  set  /  4—  2,  and  set 

c  4—  3  +  (— — )  if  v  is  odd,  c  4—  3  +  (^^ — )  if  v  is  even,  then  output 
Kodaira  type  I*.  In  any  case,  output  /,  c,  it,  r,  s,  t  and  terminate  the  algorithm. 

4.  [Integral  invariant]  If  k  =  0  then  set  /  4—  0  else  set  /  4—  2.  The  possible  values 
for  k  are  0,  2,  3,  4,  6,  8,  9  and  10.  Set  c  4—  1, 1, 2, 2+(r—j*£ — ) ,  1+  the  number 

of  roots  of  4X3  -  Zc±p~2X  -  c&p~ 3  in  Z/pZ,  2  +  (~6cpp  4),  2, 1  respectively. 
Output  respectively  the  Kodaira  types  Io, II, III, IV, Iq, IV*, III*, II*.  In 
any  case,  output  f,c,u,r,s,t  and  terminate  the  algorithm. 

When  p  =  2  or  p  =  3,  the  algorithm  is  much  more  complicated. 

Algorithm  7.5.2  (Reduction  of  an  Elliptic  Curve  Modulo  2  or  3).  Given 
integers  a\, . . . ,  ae  and  p  =  2  or  3,  this  algorithm  determines  the  Kodaira  symbol 
associated  with  the  curve  modulo  p.  In  addition,  it  computes  the  exponent  /  of 
p  in  the  arithmetic  conductor  of  the  curve,  the  index  c  =  [J5(QP)  :  E°(QP]  and 
integers  u,r,  s,t  such  that  a[, . . . ,  a'6  linked  to  a\,.. .  ,ae  via  Formulas  (7.2)  give 
a  model  with  the  smallest  possible  power  of  p  in  its  discriminant.  To  simplify  the 
presentation,  we  use  a  variable  T  which  will  hold  the  Kodaira  type,  coded  in  any 
way  one  likes. 
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1.  [Initialize]  Set  it «—  1,  r  «—  0,  s  <—  0,  and  t  <—  0.  Compute  A  and  j  using 
Formulas  (7.1).  Set  v  <—  vp(A). 

2.  [Type  Iq]  If  u  =  0  then  set  /  <—  0,  c  <—  1,  T  <—  Iq  and  go  to  step  22. 

3.  [Type  Iu]  If  p  \  62  =  a\+&a,2  then  set  /  <—  1,  and  set  c  <—  u  if  X2  +aiX  —  0,2 
has  a  root  in  Z/pZ,  set  c  <—  gcd(2,  v)  otherwise,  then  set  T  <—  Iv  and  go  to 
step  22. 

4.  [Change  Equation]  If  p  =  2,  then  set  7*1  <—  <14  mod  2,  si  <—  (ri  +  02)  mod  2 
and  t\  <—  (a q  4-  ri(ct4  +  si))  mod  2,  otherwise  compute  using  Formulas 

(7.1)  and  set  < - be  mod  3,  si  <—  ai  mod  3  and  £1  <—  ( a 3  4-  riai)  mod  3. 

Use  Formulas  (7.2)  with  the  parameters  l,ri,si,£i  to  compute 

then  set  «i  <—  a^,  0,2  <—  a^,  . . .  ,  a6  <—  ag,  r  <—  r  4-  u2ri,  s  <—  s  4-  usi  and 
t  <—  £  4-  it3£i  +  u2sri. 

5.  [Type  //]  If  p2  f  a6,  then  set  /  <—  u,  c  <—  1,  T  <—  II  and  go  to  step  22. 

6.  [Type  III]  Compute  b&  using  Formulas  (7.1).  If  p3  \  &s,  then  set  /  <—  v  —  1, 
c  <—  2,  T  <—  ///  and  go  to  step  22. 

7.  [Type  i’V']  Compute  f>6  using  Formulas  (7.1).  If  p3  \  b&,  then  set  /  <—  u  —  2 
and  set  c<—  3  if  X2+a3 /pX—a&/p2  has  a  root  in  Z/pZ,  set  c  <—  1  otherwise, 
then  set  T  <—  JV-  and  go  to  step  22. 

8.  [Change  Equation]  If  p3  \  a&  do  the  following.  If  p  =  2,  then  set  k  <—  2, 
otherwise  set  A;  <—  <23  mod  9.  Use  Formulas  (7.2)  with  parameters  1, 0, 0,  k  to 
compute  <4, . . .  ,a'6,  then  set  a\  <—  a[,  0,2  <—  a'2,  . . .  ,  a&  <—  a'6  and  finally 
set  £  <—  £  4-  u3  A;. 

9.  [Type  /q]  (At  this  point,  we  have  p  |  02,  p2  |  04  and  p3|a6.)  Set  P  <— 
X3  4-  (12/pX2  4-  a^/p2X  4-  clq/p3.  If  P  has  distinct  roots  modulo  p,  then  set 
/  <—  z/  —  4,  set  c  1+  the  number  of  roots  of  P  in  Z/pZ,  T  <—  /q  and  go 
to  step  22. 

10.  [Change  Equation]  Let  a  be  the  multiple  root  of  the  polynomial  P  modulo 
p.  If  a  7^  0,  then  use  Formulas  (7.2)  with  parameters  l,ap,  0,0  to  compute 
a[, . . .  ,a'6>  then  set  ai  <—  a[,  0,2  <—  a!2,  . . .  ,  a§  <—  a'6,  r  <—  r  +  u2ap  and 
£  <—  £  +  u2sap.  If  a  is  a  double  root,  then  go  to  step  16. 

11.  [Type  IV*]  (Here  p2  |  a3,  p4  |  a6.)  Set  P  4-  X2  +  a3/p2X  -  a6/p4.  If  P  has 
a  double  root  in  Z/pZ,  then  let  a  be  that  root.  Otherwise  set  /  <—  v—  6,  set 
c  <—  3  if  P  splits  over  Z/pZ  and  c  <—  1  otherwise,  set  T  <—  /V*  and  go  to 
step  22. 

12.  [Change  Equation]  If  a  ^  0  then  use  Formulas  (7.2)  with  parameters 
1, 0, 0,  ap 2  to  compute  a[, . . . ,  a'6,  then  set  ai  <—  a[,  0,2  <—  a'2,  ...  ,  a&  <—  a'6 
and  £  <—  £  4-  u3ap2. 

13.  [Type  III*]  If  p4  \  a 4,  then  set  /  <—  u  —  7,  c  <—  2,  T  <—  ///*  and  go  to  step 
22. 

14.  [Type//*]  If  p6  \  a^,  then  set  f  *—  u  —  8,  c<— 1,  T<— //*  and  go  to  step  22. 
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15.  [Non-minimal  equation]  Use  Formulas  (7.2)  with  parameters  p,  0,0,0  to  com¬ 
pute  then  set  ai  <—  a[,  a<i  <—  a'2,  . . .  ,  clq  *—  a'6,  u  <—  pu, 

v  <—  v  —  12  and  go  to  step  2. 

16.  [Initialize  Loop]  Set  /  <—  v  —  5,  v  <—  1,  q  <—  p2. 

17.  [Type  /*,  day  in]  Set  P  <—  X2  +  az/qX  -  a^/q2.  If  P  has  distinct  roots 
modulo  p,  then  set  c  *—  4  if  these  roots  are  in  Z/pZ,  set  c  <—  2  otherwise, 
then  set  T  <—  I*  and  go  to  step  22. 

18.  [Change  Equation]  Let  a  be  the  double  root  of  P  modulo  p.  If  a  ^  0,  use 
Formulas  (7.2)  with  parameters  l,0,0,ag  to  compute  ai,...,^,  then  set 
ai  <—  a'i,  a,2  <—  a2,  ...  ,  a,Q  <—  a'6  and  £  <—  £  +  u3aq. 

19.  [Type  I*,  day  out]  Set  v  <—  i/  +  1  and  P  <—  a^/pX2  +a±/{pq)X  +  a6/(p^2). 
If  P  has  distinct  roots  modulo  p,  then  set  c  <—  4  if  these  roots  are  in  Z/pZ, 
set  c  <—  2  otherwise,  then  set  T  <—  /*  and  go  to  step  22. 

20.  [Change  Equation]  Let  a  be  the  double  root  of  P  modulo  p.  If  a  ^  0,  use 

Formulas  (7.2)  with  parameters  l,aq,0,0  to  compute  then  set 

ai  a-i ,  a,2  <—  a'2,  ...  ,  a6  a'6>  r  r  +  u2aq  and  £•*—£  +  u2saq. 

21.  [Loop]  Set  i/  <—  i/  +  1,  q  <—  p  -  q  and  go  to  step  17. 

22.  [Common  termination]  Output  the  Kodaira  type  T,  the  numbers  /,  c,  u,  r, 
s,  t  and  terminate  the  algorithm. 

Let  us  turn  now  to  the  global  counterpart  of  this  process:  what  is  the  best 
equation  for  an  elliptic  curve  defined  over  Q?. 

Algorithm  7.5.3  (Global  Reduction  of  an  Elliptic  Curve).  Given  oi, . . . ,  a,Q  G 
Z,  this  algorithm  computes  the  arithmetic  conductor  N  of  the  curve  and  inte¬ 
gers  u,r,s,t  such  that  a^,...,ag  linked  to  ai,...,a@  via  Formulas  (7.2)  give  a 
model  with  the  smallest  possible  discriminant  (in  absolute  value)  and  such  that 
a[,a'3  G  {0,1}  and  a'2  G  {0,±1}. 

1.  [Initialize]  Set  N  <—  1,  u  +—  1,  r<—  0,  s<—  0  and  t  <—  0.  Compute  D  <—  |A| 
using  Formulas  (7.1). 

2.  [Finished  ?]  If  D  =  1,  then  output  N,u,r,s,t  and  terminate  the  algorithm. 

3.  [Local  Reduction]  Find  a  prime  divisor  p  of  D.  Then  use  Algorithm  7.5.1  or 
7.5.2  to  compute  the  quantities  fp,  up,  rp,  sp  (the  quantity  cp  may  be  discarded 
if  it  is  not  wanted  for  other  purposes).  Set  N  <—  Npfp.  If  up  ^  1,  set  u  <—  uup, 
r  <—  r  +  u2rp,  s  <—  s  +  usp  and  £  <—  £  +  uztp  +  u2srp.  Finally,  set  D  <—  D/p 
until  p  \  D,  then  go  to  step  2. 

Note  that  if  only  the  minimal  Weierstrafi  equation  of  the  curve  is  desired, 
and  not  all  the  local  data  as  well,  we  can  use  a  simpler  algorithm  due  to  Laska 
(see  [Las]  and  Section  3.2  of  [Cre]  for  a  version  due  to  Kraus  and  Connell). 
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7.5.2  Computing  rational  points 

We  now  turn  to  the  problem  of  trying  to  determine  the  group  P(Q)  of  rational 
points  on  E.  As  already  mentioned,  this  is  a  difficult  problem  for  which  no 
algorithm  exists  unless  we  assume  some  of  the  standard  conjectures. 

On  the  other  hand,  the  determination  of  the  torsion  subgroup  P(Q)tors  is 
easy.  (This  is  the  elliptic  curve  analog  of  computing  the  subgroup  of  roots  of 
unity  in  a  number  field,  see  Algorithms  4.9.9  and  4.9.10.) 

By  considering  the  formal  group  associated  with  the  elliptic  curve,  one 
can  prove  (see  [Sil])  that  torsion  points  of  composite  order  in  any  number  field 
have  integral  coordinates  in  any  Weierstrafi  model  with  integral  coefficients. 
Moreover,  there  are  bounds  on  the  denominators  of  the  coordinates  of  torsion 
points  of  order  pn  where  p  is  a  prime.  Over  Q,  these  bounds  tell  us  that 
only  the  points  of  order  2  may  have  non-integral  coordinates  in  a  generalized 
Weierstrafi  model,  and  in  that  case  the  denominator  of  the  ^-coordinate  is  at 
most  4.  Using  the  fact  that  if  P  is  a  torsion  point,  then  2 P  is  also  one,  one 
obtains  the  following  theorem,  due  to  Nagell  and  Lutz  (see  [Sil]). 

Theorem  7.5.4  (Nagell-Lutz).  If  P  =  ( x ,  y)  is  a  rational  point  of  finite  order 
n  >  2  on  the  elliptic  curve  y 2  =  x3  +  Ax  +  B,  where  A  and  B  are  integers, 
then  x  and  y  are  integers  and  y 2  divides  the  discriminant  — (4A3  +  27 B2). 

This  result,  together  with  Mazur’s  Theorem  7.1.11  gives  us  the  following 
algorithm. 

Algorithm  7.5.5  (Rational  Torsion  Points).  Given  integers  ai,...,a6,  this 
algorithm  lists  the  rational  torsion  points  on  the  corresponding  elliptic  curve  E. 

1.  [2-Division  Points]  Using  Formulas  (7.1),  compute  62,  64,  6 6.  b$  and  A.  Output 
the  origin  of  the  curve  ((0  :  1  :  0)  in  projective  coordinates).  Set  P  <—  4X3  + 
&2A2 +264 A +66.  For  each  rational  root  a  of  P,  output  the  point  (a,  — (aia+ 
a3)/2). 

2.  [Initialize  Loop]  Set  n  <—  4[3p>Apl-Vp(A)/2j(  ^g  |argest  integer  whose  square 
divides  16A.  Form  the  list  £  of  all  positive  divisors  of  n. 

3.  [Loop  on  2y  +  aia;  +  a3]  If  £  is  empty,  terminate  the  algorithm.  Otherwise,  let 
d  be  the  smallest  element  of  £,  and  remove  d  from  £.  For  each  rational  root 
a  of  P  —  d2  execute  step  4,  then  go  to  step  3. 

4.  [Check  if  torsion]  Set  Pi  <—  (a,  (d  —  aia  —  a-f)/ 2).  Compute  the  points  2Pl, 
3Pi,  4Pi,  5Pi  and  6P1,  and  let  £2,...,  £6  be  their  x-coordi  nates.  If  one  of 
these  points  is  the  origin  of  the  curve,  or  if  one  of  the  Xi  is  equal  to  the  x- 
coordinate  of  a  point  found  in  step  1,  or  if  X2  =  £3  or  x$  =  £4  or  £4  =  £5, 
then  output  the  two  points  Pi  and  P2  <—  (a,  —  (d  +  aia  +  03) /2). 

Indeed,  from  Mazur’s  Theorem  7.1.11,  it  is  clear  that  Pi  will  be  a  torsion 
point  if  and  only  if  kPi  is  a  point  of  order  dividing  2  for  k  <  6  or  if  kP\  = 
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— (k  +  1)P\  for  k  <  4,  and  since  opposite  points  have  equal  ^-coordinates  in  a 
Weierstrafi  model,  we  deduce  the  test  for  torsion  used  in  step  4. 

Note  that  to  obtain  the  torsion  subgroup  from  this  algorithm  is  very  easy: 
if  the  polynomial  P  of  step  1  has  three  rational  roots,  the  torsion  subgroup 
is  isomorphic  to  (Z/2Z)  x  (Z/(7V/2)Z)  otherwise  it  is  isomorphic  to  Z/iVZ, 
where  N  is  the  total  number  of  torsion  points  output  by  the  algorithm. 


The  last  algorithm  that  we  will  see  in  this  section  is  an  algorithm  to 
compute  the  canonical  height  of  a  rational  point. 


a 


The  Weil  height  of  a  point  P  —  (-x,  -=•)  on  an  elliptic  curve  E  is  defined 

ez  ea 

to  be  h(P )  =  In  |e|.  It  is  known  that  the  limit 


h{P)  =  lim 

n— >oo 


h(2nP) 

22n 


exists  and  defines  a  positive  definite  quadratic  form  on  I®  E( Q),  known  as 
the  canonical  height  function  on  E(Q).  The  existence  of  this  limit  means  that 
when  a  rational  point  with  large  denominator  is  multiplied  by  some  integer 
m  for  the  group  law  on  the  curve,  the  number  of  digits  of  its  denominator  is 
multiplied  by  m1 . 

The  symmetric  bilinear  form  (P,  Q)  =  h(P  +  Q)  —  h(P)  —  h(Q)  is  called 
the  canonical  height  pairing  and  is  used  to  compute  the  regulator  in  the  Birch 
and  Swinnerton-Dyer  Conjecture  7.3.9.  The  canonical  height  has  properties 
analogous  to  those  of  the  logarithmic  embedding  for  number  fields  (Theorem 
4.9.7).  More  precisely,  h(P)  =  0  if  and  only  if  P  is  a  point  of  finite  order. 
More  generally  if  Pi,  . . .  ,  Pr  are  points  on  E,  then  det((Pj,  Pj))  =  0  if  and 
only  if  there  exists  a  linear  combination  of  the  points  (for  the  group  law  of  E) 
which  is  a  point  of  finite  order.  Hence  this  determinant  is  called  the  (elliptic) 
regulator  of  the  points  Pi. 

If  Pi,  ...  ,  Pr  form  a  basis  of  the  torsion-free  part  of  P(Q),  the  regulator 
R(E/Q)  which  enters  in  the  Birch  and  Swinnerton-Dyer  conjecture  is  the 
elliptic  regulator  of  the  points  Pi. 

The  height  function  h(P)  has  a  very  interesting  structure  (see  [Sil]).  We 
will  only  note  here  that  it  can  be  expressed  as  a  sum  of  local  functions,  one  for 
each  prime  number  p  and  one  for  the  “Archimedean  prime”  oo.  To  compute 
the  contribution  of  a  prime  p  we  use  an  algorithm  due  in  this  form  to  Silverman 
(see  [Sil2]).  We  will  always  assume  that  the  elliptic  curve  is  given  by  a  global 
minimal  equation,  obtained  for  example  by  Algorithm  7.5.3. 

Algorithm  7.5.6  (Finite  part  of  the  height).  Given  ai, . . . ,  a$  €  Z  the  coef¬ 
ficients  of  the  global  minimal  equation  of  an  elliptic  curve  E  and  the  coordinates 
{x,y)  of  a  rational  point  P  on  E,  this  algorithm  computes  the  contribution  of 

A 

the  finite  primes  to  the  canonical  height  h(P). 

1.  [Initialize]  Using  Formulas  (7.1),  compute  &2i  &4.  be,  bs,  C4,  and  A.  Set 
z  <—  (l/2)ln(denominator  of  x),  A  -(—numerator  of  3x2  +  202X  +  —  aiy, 
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B  <—  numerator  of  2 y  +  a\x  +  a 3,  C  <— numerator  of  3x4  +  &2^3  +  364a:2  + 
3660:  +  6s  and  D  <—  gcd(A,  B). 

2.  [Loop  on  p]  If  D  =  1,  output  z  and  terminate  the  algorithm.  Otherwise,  choose 
a  prime  divisor  p  of  D  and  set  D  <—  D/p  until  p  \  D. 

3.  [Add  local  contribution]  If  p{c4,  then  set  N  <—  vp(A),  n  <—  min(vp(B),  N/2) 
and  z  <—  z  —  (n(N  —  n)/(2N))lnp.  Otherwise,  if  vp(C)  >  3 vp(B)  set  z  <— 
z  —  (vp(B)/ 3)  lnp  else  set  z  <—  z  —  ( vp(C)/8 )  lnp.  Go  to  step  2. 

The  Archimedean  contribution  has  a  more  interesting  history  from  the 
computational  point  of  view.  Initially,  it  was  defined  using  logarithms  of  a 
functions  on  the  curve,  but  such  objects  are  not  easy  to  compute  by  hand  or 
with  a  hand-held  calculator.  Tate  then  discovered  a  very  nice  way  to  compute 
it  using  a  simple  series.  Silverman’s  paper  [Sil2]  also  contains  an  improvement 
to  that  method.  However,  that  series  converges  only  geometrically  (the  n-th 
term  is  bounded  by  a  constant  times  4-n).  The  original  definition,  while  more 
cumbersome,  has  a  faster  rate  of  convergence  by  using  ^-expansions,  so  it 
should  be  preferred  for  high-precision  calculations. 

Algorithm  7.5.7  (Height  Contribution  at  00).  Given  ai, . . . ,  06  6K  and  the 
coordinates  ( x ,  y)  of  a  point  P  on  E(M),  this  algorithm  computes  the  Archimedean 
contribution  of  the  canonical  height  of  P. 

1.  [Initialize]  Using  Formulas  (7.1),  compute  62,  64,  b&  and  A.  Using  Algorithm 
7.4.7,  compute  o»i  and  u>2-  Using  Algorithm  7.4.8,  compute  the  elliptic  loga¬ 
rithm  z  of  the  point  P.  Set  A  <—  2ir/u>2,  t  <—  ARe(z)  and  q  <—  e2i™1/u>2. 
(Note  that  q  is  a  real  number  and  \q\  <  1.) 

2.  [Compute  theta  function]  Set 


OO 

9  <-  sin((2n  +  l)f)(-l)n<zn(n+1)/2 

71  =  0 


(stopping  the  sum  when  gn(n+1)/2  becomes  sufficiently  small). 

3.  [Terminate]  Output 


+lln 


x ®  +  (&2/4)a:2  +  (64/2)3:  +  bg/A 
A 


and  terminate  the  algorithm. 

_  A 

The  canonical  height  h(P)  is  the  sum  of  the  two  contributions  coming 
from  Algorithms  7.5.6  and  7.5.7. 
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7.5.3  Algorithms  for  computing  the  L-function 

As  we  have  seen,  according  to  the  Birch  and  Swinnerton-Dyer  conjecture,  most 
of  the  interesting  arithmetical  invariants  of  an  elliptic  curve  E  are  grouped 
together  in  the  behavior  of  L(E ,  s)  around  the  point  s  =  1,  in  a  manner  similar 
to  the  case  of  number  fields.  In  this  section,  we  would  like  to  explain  how  to 
compute  this  L  function  at  s  =  1,  assuming  of  course  that  E  is  a  modular 
elliptic  curve.  The  result  is  analogous  to  Propositions  5.3.14  and  5.6.11  but  is 
in  fact  simpler  since  it  (apparently)  does  not  involve  any  higher  transcendental 
functions. 

Proposition  7.5.8.  Let  E  be  a  modular  elliptic  curve,  let  N  be  the  conductor 
of  E,  let  L(E,s )  =  X)n>i  ann~s  be  the  L-series  of  E  and  finally  let  e  =  ±1 
be  the  sign  in  the  functional  equation  for  L(E,s).  Then  if  A  is  any  positive 
real  number,  we  have 


OO 

L(E ,  1)  =  —  (e~2^/^  -f  ee-2*n/(AVN)  j 

71=1 


and  in  particular 


OO 

L(E ,  1)  =  (1  +  e)  J2  —e~2™/y/N . 

71=1 


As  in  the  case  of  quadratic  fields,  we  have  given  the  general  formula  in¬ 
volving  a  real  parameter  A ,  but  here  the  purpose  is  different.  In  the  case 
of  quadratic  fields,  it  gave  the  possibility  of  checking  the  correctness  of  the 
computation  of  certain  higher  transcendental  functions.  Here,  its  use  is  very 
different:  since  the  expression  must  be  independent  of  A,  it  gives  an  indirect 
but  quite  efficient  way  to  compute  the  sign  e  (and  also  the  conductor  N  for 
that  matter),  which  otherwise  is  not  so  easy  to  compute  (although  there  exist 
algorithms  for  doing  so  which  are  rather  tedious).  Indeed,  we  compute  the 
right  hand  side  of  the  formula  giving  L(E ,  1)  for  two  different  values  of  A,  say 
A  =  1  and  A  =  1.1  [A  should  be  close  to  1  for  optimal  speed),  and  the  results 
must  agree.  Only  one  of  the  two  possible  choices  for  e  will  give  results  which 
agree.  Hence  the  above  proposition  enables  us,  not  only  to  compute  L(E,  1) 
to  great  accuracy  (the  series  converges  exponentially)  but  also  to  determine 
the  sign  of  the  functional  equation.  Also  note  that  the  ap  are  computed  using 
Algorithm  7.4.12  or  simply  as  a  sum  of  Legendre  symbols,  and  the  an  are 
computed  using  the  relations  a\  =  1,  amn  =  aman  if  m  and  n  are  coprime, 
and  apk  =  apapk~\  —papk- 2  for  k  >  2. 

This  is  not  the  whole  story.  Assume  that  we  discover  in  this  way  that 
£  =  —1.  Then  L(E,  1)  =  0  for  trivial  antisymmetry  reasons,  but  the  Birch  and 
Swinnerton-Dyer  conjecture  tells  us  that  the  interesting  quantity  to  compute 
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is  now  the  derivative  L'(E ,  1)  of  L(E ,  s)  at  s  =  1.  In  that  case  we  have  the 
following  proposition  which  now  involves  higher  transcendental  functions. 

Proposition  7.5.9.  Let  E  be  a  modular  elliptic  curve,  let  N  be  the  conductor 
of  E,  and  let  L(E,s )  =  YLn>iann~s  be  the  L-series  of  E.  Assume  that  the 
sign  e  of  the  functional  equation  for  L(E,s )  is  equal  to  —  1  ( hence  trivially 
L(E,  1)  =  OJ.  Then 


where  E\  is  the  exponential  integral  function  already  used  in  Proposition 
5.6.11. 

In  the  case  where  L(E ,  s)  vanishes  to  order  greater  than  1  around  s  =  1, 
there  exist  similar  formulas  for  L^r\E,  1)  using  functions  generalizing  the 
function  Ei{x).  We  refer  to  [BGZ]  for  details.  If  we  assume  the  Birch  and 
Swinnerton-Dyer  conjecture,  these  formulas  allow  us  to  compute  the  rank  of 
the  curve  E  as  the  exact  order  of  vanishing  of  L(E,  s)  around  s  =  1.  Note 
that  although  the  convergence  of  the  series  which  are  obtained  is  exponential, 
we  need  at  least  O(VN)  terms  before  the  partial  sums  start  to  become  sig¬ 
nificantly  close  to  the  result,  hence  the  limit  of  this  method,  as  in  the  case  of 
quadratic  fields,  is  for  N  around  1010.  In  particular,  if  we  want  to  estimate  the 
rank  of  elliptic  curves  having  a  much  larger  conductor,  other  methods  must 
be  used  (still  dependent  on  all  standard  conjectures).  We  refer  to  [Mes2]  for 
details. 


7.6  Algorithms  for  Elliptic  Curves  with  Complex 
Multiplication 

7.6.1  Computing  the  Complex  Values  of  j(r) 

We  first  describe  an  efficient  way  to  compute  the  numerical  value  of  the  func¬ 
tion  j(r)  for  r  €7i. 

Note  first  that,  as  in  most  algorithms  of  this  sort,  it  is  worthwhile  to  have 
r  with  the  largest  possible  imaginary  part,  hence  to  use  j(r)  =  i(7(r))  for 
any  7  €  SL2(Z).  For  this,  we  use  Algorithm  7.4.2. 

After  this  preliminary  step,  there  are  numerous  formulas  available  to  us 
for  computing  j{r),  as  is  the  case  for  all  modular  forms  or  functions.  We  could 
for  example  use  Algorithm  7.4.3  for  computing  <72  and  <73.  It  would  also  be 
possible  to  use  formulas  based  on  the  use  of  the  arithmetic-geometric  mean 
which  are  quadratically  convergent.  This  would  be  especially  useful  for  high 
precision  computations  of  j(r). 
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We  will  use  an  intermediate  approach  which  I  believe  is  best  suited  for 
practical  needs.  It  is  based  on  the  following  formulas. 

Set  as  usual  q  =  e2t7rr ,  and 


A(t)  =  q  1  +  ]T(-l)n(gn(3n_1)/2  +  ^(3n+i)/2j 


,24 


n>  1 


This  expression  should  be  computed  as  written.  Note  that  the  convergence  is 
considerably  better  than  that  of  an  ordinary  power  series  since  the  exponents 
grow  quadratically.  It  is  a  well  known  theorem  on  modular  forms  that 


92  27^3  — 


2tt 

W2 


12 

I  A. 


Now  the  formula  that  we  will  use  for  computing  j(r)  is 

x  (256/(r)  +  l)3 

3(t)  = - 77~\ -  where  /(r )  =  ' 


/M 


(note  that  changing  r  into  2 r  changes  q  into  q2). 


A(2  r) 
A(r) 


7.6.2  Computing  the  Hilbert  Class  Polynomials 

Our  second  goal  is  to  compute  the  equation  of  degree  h(D )  satisfied  by  j(r), 
which  we  will  call  the  Hilbert  class  polynomial  for  the  discriminant  D.  For 
this  we  directly  apply  Theorem  7.2.14.  This  leads  to  the  following  algorithm, 
which  is  closely  modeled  on  Algorithm  5.3.5. 


Algorithm  7.6.1  (Hilbert  Class  Polynomial).  Given  a  negative  discriminant 
D ,  this  algorithm  computes  the  monic  polynomial  of  degree  h{D)  in  Z[X\  of 
which  j((D  +  VD)/ 2)  is  a  root.  We  make  use  of  a  polynomial  variable  P. 

1.  [Initialize]  Set  P  <—  1,  6  <—  D  mod  2  and  B  <—  y/\D\/3 


2.  [Initialize  a]  Set  t  <—  (b2  —  D)/ 4  and  a  <—  max(6, 1). 

3.  [Test]  If  a  \  t  go  to  step  4.  Otherwise  compute  j  <—  j{{—b  +  y/~D)/{ 2a))  using 
the  above  formulas.  Now  if  a  =  b  or  a2  =  t  or  b  =  0  set  P  <—  P  ■  {X  —  j),  else 
set  P  <—  P  •  (X2  —  2Re(j)X  +  \j\2). 

4.  [Loop  on  a]  Set  a  <—  a  +  1.  If  a2  <  t,  go  to  step  3. 

5.  [Loop  on  b]  Set  b  <—  b  +  2.  If  b  <  B  go  to  step  2,  otherwise  round  the 
coefficients  of  P  to  the  nearest  integer,  output  P  and  terminate  the  algorithm. 


An  important  remark  must  be  made,  otherwise  this  algorithm  would  not 
make  much  sense.  The  final  coefficients  of  P  (known  to  be  integers)  must  be 
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computed  within  an  error  of  0.5  at  most.  For  this,  we  need  to  make  some  a 
priori  estimate  on  the  size  of  the  coefficients  of  P.  In  practice,  we  look  at  the 
constant  term,  which  is  usually  not  far  from  being  the  largest.  This  term  is 
equal  to  the  product  of  the  values  j((—b  +  y/D)/( 2a))  over  all  reduced  forms 

(a,  6,  c),  and  the  modulus  of  this  is  approximately  equal  to  e7rVl-Dl/(2a)  hence 
the  modulus  of  the  constant  term  is  relatively  close  to  10fc,  where 

Wy/\D\  1 
ln(10)  ^  a’ 

the  sum  running  over  all  reduced  forms  (a,  b,  c)  of  discriminant  D. 

Hence  in  step  3,  the  computation  of  the  j-values  should  be  done  with  at 
least  k  + 10  significant  digits,  10  being  an  empirical  constant  which  is  sufficient 
in  practice.  Note  that  the  value  of  1/a  is  not  known  in  advance,  so  it  should 
be  computed  independently  (by  again  applying  a  variant  of  Algorithm  5.3.5), 
since  this  will  in  any  case  take  a  negligible  proportion  of  the  time  spent. 


7.6.3  Computing  Weber  Class  Polynomials 

One  of  the  main  applications  of  computing  the  Hilbert  class  polynomials  is 
to  explicitly  generate  the  Hilbert  class  field  of  K  =  Q(\/rD)  when  D  is  a 
negative  fundamental  discriminant.  As  already  mentioned,  the  coefficients  of 
these  polynomials  will  be  very  large,  and  it  is  desirable  to  make  them  smaller. 
One  method  is  to  use  the  POLRED  Algorithm  4.4.11.  An  essentially  equivalent 
method  is  given  in  [Kal-Yui] .  A  better  method  is  to  start  by  using  some  extra 
algebraic  information. 

We  give  an  example.  Set 


t?(t)  =  e2inTI 24 


+  gn(3n+l)/2y 


(this  is  the  24-th  root  of  the  function  A  (r)  defined  above,  and  is  called 
Dedekind’s  eta-function).  Define 


/i(T) 


V  (r) 


Then  if  D  =  ±8  (mod  32)  and  3  {  D,  if  we  set 


u  =  fi(VD/l)2y/2, 


we  can  use  u  instead  of  j  for  generating  the  class  field.  Indeed,  one  can  show 
that  K(j)  =  K(u),  that  u  is  an  algebraic  integer  (of  degree  equal  to  h(D)),  and 
what  is  more  important,  that  the  coefficients  of  the  minimal  monic  polynomial 
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of  u  (which  we  will  call  the  Weber  class  polynomial  for  D)  have  approximately 
12  times  fewer  digits  than  those  of  the  Hilbert  class  polynomials. 

Note  that  one  can  easily  recover  j  from  u  if  needed.  For  example,  in  our 
special  case  above  we  have 


.  (256  -  u12)3 

3  ~  ^24  • 

This  takes  care  only  of  certain  congruence  classes  for  D ,  but  most  can  be 
treated  in  a  similar  manner.  We  refer  the  interested  reader  to  [Atk-Mor]  or  to 
[Kal-Yui]  for  complete  details. 

The  algorithm  for  computing  the  Weber  class  polynomials  is  essentially 
identical  to  the  one  for  Hilbert  class  polynomials:  we  replace  j  by  u,  and  fur¬ 
thermore  use  a  much  lower  precision  for  the  computation  of  u.  For  example,  in 
the  case  D  =  +8  (mod  32)  and  3  \  D,  we  can  take  approximately  one  twelfth 
of  the  number  of  digits  that  were  needed  for  the  Hilbert  class  polynomials. 


7.7  Exercises  for  Chapter  7 

1.  (J.  Cremona)  Given  C4  and  C6  computed  by  Formulas  (7.1),  we  would  like  to 
recover  the  bi  and  a»,  where  we  assume  that  the  a*  are  in  Z.  Show  that  the 
following  procedure  is  valid.  Let  62  be  the  unique  integer  such  that  —  5  <  62  <  6 
and  62  =  —  C6  mod  12.  Then  set  64  =  (&1  —  C4)/24,  be  =  (—62  +  36&2&4  —  ce)/216. 
Finally  set  ai  =  62  mod  2  €  {0, 1},  02  =  (62— ai)/4  €  {— 1, 0, 1},  <23  =  &6  mod  2 
€  {0,1},  a4  =  (64  -  aid3)/2  and  ae  =  (be  -  03)/ A. 

2.  Let  E  be  an  elliptic  curve  with  complex  multiplication  by  the  complex  quadratic 
order  of  discriminant  D.  Show  that  if  p  is  a  prime  such  that  (y)  =  —  1,  then 
\E(Z/pZ)\  =  p  + 1. 

3.  Using  the  result  of  Exercise  2,  show  that  the  only  torsion  points  on  the  elliptic 
curve  y 2  =  x3  —  n2x  (which  has  complex  multiplication  by  Z[«])  are  the  4  points 
of  order  1  or  2.  (Hint:  use  Dirichlet’s  theorem  on  the  infinitude  of  primes  in 
arithmetic  progressions.) 

4.  Show  that  the  elliptic  curve  y 2  =  Ax3  —  30a:  —  28  has  complex  multiplication 
by  Z[\/ — 2]  and  give  explicitly  the  action  of  multiplication  by  \/— 2  on  a  point 

(x,y)- 

5.  Given  an  elliptic  curve  defined  over  Q  by  a  generalized  Weierstrafi  equation,  write 
an  algorithm  which  determines  whether  this  curve  has  complex  multiplication, 
and  if  this  is  the  case,  gives  the  complex  quadratic  order  End(E).  (This  exercise 
requires  some  additional  knowledge  about  elliptic  curves.) 

6.  Using  Algorithm  7.4.10,  find  a  Weierstrafi  equation  for  the  elliptic  curve  E  given 
by  the  projective  equation 

x  -\-  y  —  cLt 


with  (1  :  —  1  :  0)  as  given  rational  point. 
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7.  Given  the  point  (2  :  1  :  1)  on  the  elliptic  curve  whose  projective  equation  is 
x3  +  y3  =  9 t3,  find  another  rational  point  with  positive  coordinates  (apart  from 
the  point  (1  :  2  :  1)  of  course).  It  may  be  useful  to  use  the  result  of  Exercise  6. 

8.  Given  an  elliptic  curve  E  by  a  general  Weierstrafi  equation  y2  +  a\xy+  a$y  = 
x3  +  CL2X 2  +  a4X  +  a6  and  a  complex  number  z,  give  the  formulas  generalizing 
those  of  Proposition  7.4.4  for  the  coordinates  (x,  y)  on  E(C)  corresponding  to  z 
considered  as  an  element  of  C/L  where  L  is  the  lattice  associated  to  E. 

9.  (J.-F.  Mestre)  Let  ri,  r 2,  r 3  and  r4  be  distinct  rational  numbers  and  let  t  be 
a  parameter  (which  we  will  also  take  to  be  a  rational  number).  Consider  the 
polynomial  of  degree  12 

P(X)=  n  (X-(r(+tr,)). 


a)  By  considering  the  Laurent  series  expansion  of  show  that  for  any 
monic  polynomial  P  of  degree  12  there  exists  a  unique  polynomial  g  G  Q[X] 
such  that  deg (P(X)  —  g3(X))  <  7,  and  show  that  in  our  special  case  we  have  in 
fact  deg(P(X)  -  g3(X))  <  6. 

b)  Show  that  there  exists  q{X)  G  Q[X]  and  r(X)  G  Q[X]  such  that  P(X)  = 
g3(X)  +  q(X)g(X)  +  r(X)  with  deg(<?)  <  2  and  deg(r)  <  3. 

c)  Deduce  from  this  that  the  equation  Y3+q(X)Y+r(X )  =  0  is  the  equation 
of  a  cubic  with  rational  coefficients,  and  that  the  12  points  ( ri+trj,g(ri+trj))ijtj 
are  12  (not  necessarily  distinct)  rational  points  on  this  cubic. 

d)  Give  explicit  values  of  the  r»  and  t  such  that  the  cubic  is  non-singular, 
the  12  points  above  are  distinct  and  in  fact  linearly  independent  for  the  group 
law  on  the  cubic. 

e)  Using  Algorithm  7.4.10,  find  a  Weierstrafi  equation  corresponding  to  the 
cubic,  and  give  explicitly  an  elliptic  curve  defined  over  Q  whose  rank  is  at  least 
equal  to  11  as  well  as  11  independent  points  on  the  elliptic  curve  (note  that  we 
have  to  “lose”  a  point  in  order  to  obtain  an  elliptic  curve).  To  answer  the  last 
two  questions  of  this  exercise,  the  reader  is  strongly  advised  to  use  a  package 
such  as  those  described  in  Appendix  A.  In  [Nag]  it  is  shown  how  to  refine  this 
construction  in  order  to  have  infinite  families  of  elliptic  curves  of  rank  13  instead 
of  11. 


10.  Prove  that  the  AGM  of  two  positive  real  numbers  exists,  i.e.  that  the  two  se¬ 
quences  an  and  bn  given  in  the  text  both  converge  and  to  the  same  limit.  Show 
also  that  the  convergence  is  quadratic. 


11. 


The  goal  of  this  exercise  is  to  prove  the  formula  giving  AGM(a,  b )  in  terms  of 
an  elliptic  integral, 

a)  Set 


dt 


\J a?  cos2  t  +  b2  sin2 1 


By  making  the  change  of  variable  sin  t  =  2a  sin  u/((a  +  b)  +  (a  —  b)  sin2  u)  show 
that  I (a,  b)  =  I((a+  b)/ 2,  y/ab). 

b)  Deduce  from  this  the  formula  I (a,  b)  =  7r/ (2  AGM(a,  6))  given  in  the  text. 

c)  By  making  the  change  of  variable  x  =  0+  (6  —  a)  sin2 1,  express  I  (a,  b)  as 
an  elliptic  integral. 


Chapter  8 

Factoring  in  the  Dark  Ages 


I  owe  this  title  to  a  talk  given  by  Hendrik  Lenstra  at  MSRI  Berkeley  in  the 
spring  of  1990. 


8.1  Factoring  and  Primality  Testing 

Since  Fermat,  it  is  known  that  the  problem  of  decomposing  a  positive  integer 
N  into  the  product  of  its  prime  factors  splits  in  fact  in  three  subproblems. 
The  first  problem  is  to  decide  quickly  whether  N  is  composite  or  probably 
prime.  Such  tests,  giving  a  correct  answer  when  N  is  composite,  but  no  real 
answer  when  N  is  prime,  will  be  called  compositeness  tests  (and  certainly  not 
primality  tests).  We  will  study  them  in  Section  8.2.  The  second  problem  is,  if 
one  is  almost  sure  that  N  is  prime,  to  prove  that  it  is  indeed  prime.  Methods 
used  before  1980  to  do  this  will  be  studied  in  Section  8.3.  Modern  methods  are 
the  subject  matter  of  Chapter  9.  The  third  problem  is  that  once  one  knows 
that  N  is  composite,  to  factor  N.  Methods  used  before  the  1960’s  (i.e.  in  the 
dark  ages)  will  be  studied  starting  at  Section  8.4.  Modern  methods  are  the 
subject  matter  of  Chapter  10. 

Note  that  factoring/primality  testing  is  usually  a  recursive  process.  Given 
a  composite  number  N,  a  factoring  method  will  not  in  general  give  the 
complete  factorization  of  N,  but  only  a  non-trivial  factor  d,  i.e.  such  that 
1  <  d  <  N.  One  then  starts  working  on  the  two  pieces  d  and  Nfd.  Finding 
a  non-trivial  divisor  d  of  N  will  be  called  splitting  N,  or  even,  sometimes  by 
abuse  of  language,  factoring  N. 

Before  going  to  the  next  section,  it  should  be  mentioned  that  the  most 
naive  method  of  trial  division  (which  simultaneously  does  factoring  and  pri¬ 
mality  testing)  deserves  a  paragraph.  Indeed,  in  most  factoring  methods,  it 
usually  never  hurts  to  trial  divide  up  to  a  certain  bound  to  remove  small  fac¬ 
tors.  Now  we  want  to  divide  N  by  primes  up  to  the  square  root  of  N.  For  this, 
we  may  or  may  not  have  at  our  disposal  a  sufficiently  large  table  of  primes. 
If  this  is  not  the  case,  it  is  clear  that  we  can  divide  N  by  numbers  d  in  given 
congruence  classes,  for  example  1  and  5  modulo  6,  or  1,  7,  11, 13, 17,  19,  23,  29 
modulo  30.  We  will  then  make  unnecessary  divisions  (by  composite  numbers), 
but  the  result  will  still  be  correct.  Hence  we  may  for  instance  use  the  following 
algorithm. 
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Algorithm  8.1.1  (Trial  Division).  We  assume  given  a  table  of  prime  numbers 
p[  1]  =  2,  p[2]  =  3,  . . .  ,  p[k],  with  k  >  3,  an  array  t  <—  [6, 4, 2,4, 2,4, 6,2],  and  an 
index  j  such  that  if  p[k]  mod  30  is  equal  to  1,  7,  11,  13,  17,  19,  23  or  29  then  j  is 
set  equal  to  equal  to  0,  1,  2,  3,  4,  5,  6  or  7  respectively.  Finally,  we  give  ourselves 
an  upper  bound  B  such  that  B  >  p[fc],  essentially  to  avoid  spending  too  much 
time. 

Then  given  a  positive  integer  N,  this  algorithm  tries  to  factor  (or  split  N), 
and  if  it  fails,  N  will  be  free  of  prime  factors  less  than  or  equal  to  B. 

1.  [Initialize]  If  A7  <  5,  output  the  factorization  1  =  1,  2  =  2,  3  =  3,  4  =  22, 

5  =  5  corresponding  to  the  value  of  N,  and  terminate  the  algorithm.  Otherwise, 
set  i  < - 1,  m  <—  0,  l  <—  [v^N]- 

2.  [Next  prime]  Set  m  *—  m  4-1.  If  m  >  k  set  i  *—  j  —  1  and  go  to  step  5, 
otherwise  set  d  <—  p[m], 

3.  [Trial  divide]  Set  r  <—  N  mod  d.  If  r  =  0,  then  output  d  as  a  non-trivial  divisor 
of  N  and  terminate  the  algorithm  (or  set  N  *—  N/d,  l  *—  [%/iVJ  and  repeat 
step  3  if  we  want  to  continue  finding  factors  of  N). 

4.  [Prime?]  If  d  >  l,  then  if  N  >  1  output  a  message  saying  that  the  remaining 
N  is  prime  and  terminate  the  algorithm.  Otherwise,  if  i  <  0  go  to  step  2. 

5.  [Next  divisor]  Set  i  <—  i  +  1  mod  8,  d  *—  d  +  t[i].  If  d  >  B,  then  output  a 
message  saying  that  the  remaining  prime  divisors  of  N  are  greater  than  B, 
otherwise  go  to  step  3. 

Note  that  we  have  i  =  —  1  as  long  as  we  are  using  our  prime  number  table, 
i  >  0  if  not. 

This  test  should  not  be  used  for  factoring  completely,  except  when  N  is 
very  small  (say  N  <  108)  since  better  methods  are  available  for  that  purpose. 
On  the  other  hand,  it  is  definitely  useful  for  removing  small  factors. 

Implementation  Remark.  I  suggest  using  a  table  of  primes  up  to  500000, 
if  you  can  spare  the  memory  (this  represents  41538  prime  numbers).  Trial 
division  up  to  this  limit  usually  never  takes  more  than  a  few  seconds  on 
modern  computers.  Furthermore,  only  the  difference  of  the  primes  (or  even 
half  of  these  differences)  should  be  stored  and  not  the  primes  themselves,  since 
p[k]  —p[k  —  1]  can  be  held  in  one  byte  instead  of  four  when  p[k]  <  436273009, 
and  (p[fc]  —  p[k  —  l])/2  can  be  held  in  one  byte  if  p[k]  <  304599508537  (see 
[Bre3]). 

Also,  I  suggest  not  doing  any  more  divisions  after  exhausting  the  table  of 
primes  since  there  are  better  methods  to  remove  small  prime  factors.  Finally, 
note  that  it  is  not  really  necessary  to  compute  l  <—  [y/N J  in  the  initialization 
step,  since  the  test  d  >  l  in  step  4  can  be  replaced  by  the  test  q  <  l,  where 
q  is  the  Euclidean  quotient  of  N  by  d  usually  computed  simultaneously  with 
the  remainder  in  step  3. 
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8.2  Compositeness  Tests 

The  first  thing  to  do  after  trial  dividing  a  number  TV  up  to  a  certain  bound,  is 
to  check  whether  TV  (or  what  remains  of  the  unfactored  part)  is  probably  prime 
or  composite.  The  possibility  of  doing  this  easily  is  due  to  Fermat’s  theorem 
qP-1  =  i  (mod  p)  when  p  is  a  prime  not  dividing  a.  Fermat’s  theorem  in  itself 
would  not  be  sufficient  however,  even  for  getting  a  probable  answer. 

The  second  reason  Fermat’s  theorem  is  useful  is  that  ap_1  mod  p  can  be 
computed  quickly  using  the  powering  algorithms  of  Section  1.2.  This  is  in 
contrast  with  for  instance  Wilson’s  theorem  stating  that  (p— 1)!  =  —1  (mod  p) 
if  and  only  if  p  is  prime.  Although  superficially  more  attractive  than  Fermat’s 
theorem  since  it  gives  a  necessary  and  sufficient  condition  for  primality,  and 
not  only  a  necessary  one,  it  is  totally  useless  because  nobody  knows  how  to 
compute  (p  —  1)!  mod  p  in  a  reasonable  amount  of  time. 

The  third  reason  for  the  usefulness  of  Fermat’s  theorem  is  that  although 
it  gives  only  a  necessary  condition  for  primality,  exceptions  (i.e.  composite 
numbers  which  satisfy  the  theorem)  are  rare.  They  exist,  however.  For  exam¬ 
ple  the  number  TV  =  561  =  3  •  11  •  17  is  such  that  aN~1  =  1  (mod  TV )  as 
soon  as  (a,  TV)  =  1.  Such  numbers  are  called  Carmichael  numbers.  It  has  just 
recently  been  proved  by  Alford,  Granville  and  Pomerance  ([AGP])  that  there 
are  infinitely  many  Carmichael  numbers  and  even  that  up  to  x  their  number 
is  at  least  C  •  x 2/7  for  some  positive  constant  C. 

It  is  not  difficult  to  strengthen  Fermat’s  theorem.  If  p  is  an  odd  prime  and  p 
does  not  divide  a,  then  a (p-1)/2  =  ±1  (mod  p)  (more  precisely  it  is  congruent 
to  the  Legendre  symbol  (j*),  see  Section  1.4.2).  This  is  stronger  than  Fermat, 
and  for  example  eliminates  561.  It  does  not  however  eliminate  all  counter¬ 
examples,  since  for  instance  TV  =  1729  satisfies  a^N~1^2  =  1  (mod  TV)  for  all 
a  coprime  to  TV. 

The  first  test  which  is  really  useful  is  due  to  Solovay  and  Strassen  ([Sol- 
Str] ) .  It  is  based  on  the  fact  that  if  we  require  not  only  a^N_1^2  =  ±1 
(mod  TV)  but  a/^-1)/2  =  (-^)  (mod  TV),  where  (^)  is  the  Jacobi-Kronecker 
symbol,  then  this  will  be  satisfied  by  at  most  TV/2  values  of  a  when  TV  is  not  a 
prime.  This  gives  rise  to  the  first  compositeness  test,  which  is  probabilistic  in 
nature:  for  50  (say)  randomly  chosen  values  of  a,  test  whether  the  congruence 
is  satisfied.  If  it  is  not  for  any  value  of  a,  then  TV  is  composite.  If  it  is  for  all 
50  values,  then  we  say  that  TV  is  probably  prime,  with  probability  of  error  less 
than  2-50  ~  10-15,  lower  in  general  than  the  probability  of  a  hardware  error. 

This  test  has  been  superseded  by  a  test  due  to  Miller  and  Rabin  ([Mil], 
[Rab]),  which  has  two  advantages.  First,  it  does  not  require  any  Jacobi  symbol 
computation,  and  second  the  number  of  a  which  will  satisfy  the  test  will  be 
at  most  TV/4  instead  of  TV/2,  hence  fewer  trials  have  to  be  made  to  ensure  a 
given  probability.  In  addition,  one  can  prove  that  if  a  satisfies  the  Rabin-Miller 
test,  then  it  will  also  satisfy  the  Solovay-Strassen  test,  so  the  Miller-Rabin  test 
completely  supersedes  the  Solovay-Strassen  test. 
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Definition  8.2.1.  Let  N  be  an  odd  positive  integer,  and  a  be  an  integer. 
Write  N  —  1  =  2 tq  with  q  odd.  We  say  that  N  is  a  strong  pseudo-prime  in 
base  a  if  either  aq  =  1  (mod  N),  or  if  there  exists  an  e  such  that  0  <  e  <  t 
and  a?Cq  =  —  1  (mod  N). 

If  p  is  an  odd  prime,  it  is  easy  to  see  that  p  is  a  strong  pseudo-prime  in 
any  base  not  divisible  by  p  (see  Exercise  1).  Conversely,  one  can  prove  (see  for 
example  [Knu2])  that  if  p  is  not  prime,  there  exist  less  than  p/4  bases  a  such 
that  1  <  a  <  p  for  which  p  is  a  strong  pseudo-prime  in  base  a.  This  leads  to 
the  following  algorithm. 

Algorithm  8.2.2  (Rabin-Miller).  Given  an  odd  integer  N  >  3,  this  algorithm 
determines  with  high  probability  if  N  is  composite.  If  it  fails,  it  will  output  a 
message  saying  that  N  is  probably  prime. 

1.  [Initialize]  Set  q  <—  N  —  1,  t  <—  0,  and  while  q  is  even  set  q  <—  q/2  and  t  <—  t+1 
(now  N  —  1  =  2 tq  with  q  odd).  Then  set  c  <—  20. 

2.  [Choose  new  a]  Using  a  random  number  generator,  choose  randomly  an  a  such 
that  1  <  a  <  N.  Then  set  e  <—  0,  6  <—  aq  mod  N.  If  b  =  1,  go  to  step  4. 

3.  [Squarings]  While  b  ^  ±1  (mod  N )  and  e  <  t  —  2  set  b  <—  b2  mod  N  and 
e  <—  e  +  1.  \i  b  ^  N  —  1  output  a  message  saying  that  N  is  composite  and 
terminate  the  algorithm. 

4.  [Repeat  test]  Set  c  <—  c—  1.  If  c  >  0  go  to  step  2,  otherwise  output  a  message 
saying  that  N  is  probably  prime. 

The  running  time  of  this  algorithm  is  essentially  the  same  as  that  of  the 
powering  algorithm  which  is  used,  i.e.  in  principle  0(ln3N).  Note  however  that 
we  can  reasonably  restrict  ourselves  to  single  precision  values  of  a  (which  will 
not  be  random  any  more,  but  it  probably  does  not  matter),  and  in  that  case 
if  we  use  the  left-right  Algorithms  (1.2.2  to  1.2.4),  the  time  drops  to  0(ln2iV). 
Hence,  it  is  essentially  as  fast  as  one  could  hope  for. 

This  algorithm  is  the  workhorse  of  compositeness  tests,  and  belongs  in 
almost  any  number  theory  program.  Note  once  again  that  it  will  prove  the 
compositeness  of  essentially  all  numbers,  but  it  will  never  prove  their  primal- 
ity.  In  fact,  by  purely  theoretical  means,  it  is  usually  possible  to  construct 
composite  numbers  which  pass  the  Rabin-Miller  test  for  any  given  reasonably 
small  finite  set  of  bases  a  ([Arn]).  For  example,  the  composite  number 

1195068768795265792518361315725116351898245581 

=  24444516448431392447461  •  48889032896862784894921 

is  a  strong  pseudo-prime  to  bases  2,  3,  5,  7,  11,  13,  17,  19,  23,  29  and  31  and 
several  others. 

There  is  a  variation  on  this  test  due  to  Miller  which  is  as  follows.  If  one 
assumes  the  Generalized  Riemann  Hypothesis,  then  one  can  prove  that  if  N 
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is  not  prime,  there  exists  an  a  <  Cln  N  such  that  N  will  not  be  a  strong 
pseudo-prime  in  base  a,  C  being  an  explicit  constant.  Hence  this  gives  a  non- 
probabilistic  primality  and  compositeness  test,  but  since  it  is  based  on  an 
unproven  hypothesis,  it  cannot  be  used  for  the  moment.  Note  that  the  situ¬ 
ation  is  completely  different  in  factoring  algorithms.  There,  we  can  use  any 
kinds  of  unproven  hypotheses  or  crystal  balls  for  that  matter,  since  once  the 
algorithm  (or  pseudo-algorithm)  finishes,  one  can  immediately  check  whether 
we  have  indeed  obtained  a  factor  of  our  number  N,  without  worrying  about  the 
manner  in  which  it  was  obtained.  Primality  testing  however  requires  rigorous 
mathematical  proofs. 

Note  also  that  even  if  one  uses  the  best  known  values  of  the  constant  C, 
for  our  typical  range  of  values  of  N  (say  up  to  lO500),  the  modern  methods 
explained  in  Chapter  9  are  in  practice  faster. 


8.3  Primality  Tests 

We  now  consider  the  practical  problem  of  rigorously  proving  that  a  number  N 
is  prime.  Of  course,  we  will  try  to  do  this  only  after  N  has  successfully  passed 
the  Rabin-Miller  test,  so  that  we  are  morally  certain  that  N  is  indeed  prime. 


8.3.1  The  Pocklington-Lehmer  N  —  1  Test 

We  need  a  sort  of  converse  to  Fermat’s  theorem.  One  such  converse  was  found 
by  Pocklington,  and  improved  by  Lehmer.  It  is  based  on  the  following  result. 

Proposition  8.3.1.  Let  N  be  a  positive  integer,  and  let  p  be  a  prime  divisor 
of  N  —  1.  Assume  that  we  can  find  an  integer  ap  such  that  ap~l  =  1  (mod  N) 

and  {a^~l^p  —  1  ,N)  =  1.  Then  if  d  is  any  divisor  of  N,  we  have  d  =  1 
(mod  pap),  where  pa p  is  the  largest  power  of  p  which  divides  N  —  1. 

Proof  It  is  clearly  enough  to  prove  the  result  for  all  prime  divisors  of  N,  since 
any  divisor  is  a  product  of  prime  divisors.  Now  if  d  is  a  prime  divisor  of  N, 
we  have  ap~l  =  1  (mod  d),  since  ap  is  coprime  to  N  (why?)  hence  to  d.  On 

the  other  hand,  since  (ap*~1^p  —  1  ,N)  =  1,  we  have  a(p,~l  ^p  ^  1  (mod  d). 
If  e  is  the  exact  order  of  ap  modulo  d  (i.e.  the  smallest  positive  exponent  such 
that  a®  =  1  (mod  d)),  this  means  that  e  |  d  —  1,  e  {  (N  —  1  )/p  but  e  |  N  —  1, 
hence  pap  \  e  \  d  —  1  showing  that  d  =  1  (mod  pap).  □ 

Corollary  8.3.2.  Assume  that  we  can  write  N  —  1  =  F  -U  where  ( F ,  U)  =  1, 
F  is  completely  factored,  and  F  >  y/N.  Then,  if  for  each  prime  p  dividing  F 
we  can  find  an  ap  satisfying  the  conditions  of  Proposition  8.3.1 ,  N  is  prime. 
Conversely,  if  N  is  prime,  for  any  prime  p  dividing  N  —  1,  one  can  find  ap 
satisfying  the  conditions  of  Proposition  8.3.1. 
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Proof.  If  the  hypotheses  of  this  corollary  are  satisfied,  it  follows  immediately 
from  Proposition  8.3.1  that  all  divisors  of  N  are  congruent  to  1  mod  F.  Since 
F  >  y/N,  this  means  that  N  has  no  prime  divisor  less  than  its  square  root, 
hence  N  is  prime. 

Conversely,  when  N  is  prime,  if  we  take  for  ap  a  primitive  root  modulo 
N,  i.e.  a  generator  of  the  multiplicative  group  (Z/TVZ)*,  it  is  clear  that  the 
conditions  of  the  proposition  are  satisfied  since  the  order  of  ap  is  exactly  equal 
to  N  - 1.  □ 

This  corollary  gives  us  our  first  true  primality  test.  Its  main  drawback  is 
that  we  need  to  be  able  to  factor  N  —  1  sufficiently,  and  this  is  in  general  very 
difficult.  It  is  however  quite  useful  for  numbers  having  special  forms  where 
N  —  1  factors  easily,  for  example  the  Fermat  numbers  22  4- 1  (see  Exercise  9). 

The  condition  F  >  y/N  of  the  corollary  can  be  weakened  if  we  make  an 
extra  test: 

Proposition  8.3.3.  Assume  that  we  can  write  N—l  =  F-U  where  ( F ,  U)  =  1, 
F  is  completely  factored,  all  the  prime  divisors  of  U  are  greater  than  B,  and 
BF  >  y/N .  Then  if  for  each  prime  p  dividing  F  we  can  find  an  ap  satisfying 
the  conditions  of  Proposition  8.3.1,  and  if  in  addition  we  can  find  au  such 
that  a^-1  =  1  (mod  N)  and  ( a £  —  1  ,N)  =  1,  then  N  is  prime.  Conversely, 
if  N  is  prime,  such  ap  and  au  can  always  be  found. 

Proof.  We  follow  closely  the  proof  of  Proposition  8.3.1.  Let  d  be  any  prime 
divisor  of  N.  Proposition  8.3.1  tells  us  that  d  =  1  (mod  F).  If  e  is  the  exact 
order  of  au  modulo  d,  then  e\d  —  1,  e\N  —  1  and  e  \  F  =  (N  —  1  )/U. 
Now  one  cannot  have  (e,  U )  =  1,  otherwise  from  e  |  N  —  1  =  FU  one  would 
get  e  |  F ,  contrary  to  the  hypothesis.  Hence  (e,  TJ)  >  1,  and  since  U  has  all 
its  prime  factors  greater  than  B,  (e,  U)  >  B.  Finally,  since  (F,  U )  =  1,  from 
d  =  1  (mod  e)  and  d  =  1  (mod  F)  we  obtain  d  =  1  (mod  (e,  U)  •  F)  hence 
d  >  B  •  F  >  y/N,  showing  that  N  has  no  prime  divisor  less  than  or  equal  to 
its  square  root,  hence  that  N  is  prime.  □ 

Note  that  the  condition  that  U  has  all  its  prime  factors  greater  than  B  is 
very  natural  in  practice  since  the  factorization  N  —  1  =  F  •  U  is  often  obtained 
by  trial  division. 


8.3.2  Briefly,  Other  Tests 

Several  important  generalizations  of  this  test  exist.  First,  working  in  the  mul¬ 
tiplicative  group  of  the  field  F pj2  instead  of  Wn,  one  obtains  a  test  which  uses 
the  factorization  of  N  +  1  instead  of  TV  —  1.  This  gives  as  a  special  case  the 
Lucas-Lehmer  test  for  Mersenne  numbers  N  =  2P  —  1.  In  addition,  since  Fjv 
is  a  subfield  of  F^2 ,  it  is  reasonable  to  expect  that  one  can  combine  the  in¬ 
formation  coming  from  the  two  tests,  and  this  is  indeed  the  case.  One  can 
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also  use  higher  degree  finite  fields  (Fjv3  ,  F n4  and  Fjv«  )  which  correspond  to 
using  in  addition  the  completely  factored  part  of  N2  +  N  +  1,  N2  +  1  and 
N2  —  N  +  1  respectively.  These  numbers  are  already  much  larger,  however, 
and  do  not  always  give  much  extra  information.  Other  finite  fields  give  even 
larger  numbers.  One  last  improvement  is  that,  as  in  Proposition  8.3.3  one  can 
use  the  upper  bound  used  in  doing  the  trial  divisions  to  find  the  factors  of 
N  —  1,  N  +  1,  etc  . . .  For  details,  I  refer  to  [BLS],  [Sel-Wun]  or  [Wil-Jud]. 


8.4  Lehman’s  Method 

We  now  turn  our  attention  to  factoring  methods.  The  spirit  here  will  be  quite 
different.  For  example,  we  do  not  need  to  be  completely  rigorous  since  if  we 
find  a  number  which  may  be  a  factor  of  N,  it  will  always  be  trivial  to  check 
if  it  is  or  not.  It  will  however  be  useful  to  have  some  understanding  of  the 
asymptotic  behavior  of  the  algorithm. 

Although  several  methods  were  introduced  to  improve  trial  division  (which 
is,  we  recall,  a  0(N1^2+e)  algorithm),  the  first  method  which  has  a  run¬ 
ning  time  which  could  be  proved  to  be  substantially  lower  was  introduced 
by  Lehman  (see  [Lehl]).  Its  execution  time  is  at  worst  0(iV1/3+e),  and  it  is 
indeed  faster  than  trial  division  already  for  reasonably  small  values  of  N.  The 
algorithm  is  as  follows. 

Algorithm  8.4.1  (Lehman).  Given  an  integer  N  >  3,  this  algorithm  finds  a 
non-trivial  factor  of  N  if  N  is  not  prime,  or  shows  that  N  is  prime. 

1.  [Trial  division]  Set  B  <—  [AT1/3].  Trial  divide  N  up  to  the  bound  B  using 
Algorithm  8.1.1.  If  any  non-trivial  factor  is  found,  output  it  and  terminate  the 
algorithm.  Otherwise  set  k  <—  0. 

2.  [Loop  on  k]  Set  k  <—  k  +  1.  If  k  >  B,  output  the  fact  that  N  is  prime 
and  terminate  the  algorithm.  Otherwise,  set  r  =  1  and  m  =  2  if  k  is  even, 
r  =  k  +  N  and  m  =  4  if  k  is  odd. 

3.  [Loop  on  a]  For  all  integers  a  such  that  4 kN  <  a2  <  4 kN  +  B 2  and  a  =  r 
(mod  m)  do  as  follows.  Set  c  a2—4kN.  Using  Algorithm  1.7.3,  test  whether 
c  is  a  square.  If  it  is,  let  c  =  bz,  output  gcd(a+6,  N)  (which  will  be  a  non-trivial 
divisor  of  N )  and  terminate  the  algorithm.  Otherwise,  use  the  next  value  of  a 
if  any.  If  all  possible  values  of  a  have  been  tested,  go  to  step  2. 

Proof  (D.  Zagier).  We  only  give  a  sketch,  leaving  the  details  as  an  exercise  to 
the  reader. 

If  no  factors  are  found  during  step  1,  this  means  that  all  the  prime  factors 
of  N  are  greater  than  TV1/3  hence  N  has  at  most  two  prime  factors. 

Assume  first  that  N  is  prime.  Then  the  test  in  step  3  can  never  succeed. 
Indeed,  if  a 2  —  4 kN  =  b2  then  N  |  a2  —  b2  hence  N  \  (a  —  b)  or  N  \  (a  +  b)  so 
a+b>  N,  but  this  is  impossible  since  the  given  inequalities  on  k  and  a  imply 
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that  a  <  2TV2/3  +  1  and  b  <  AT1/3  so  TV  <  13.  An  easy  check  shows  that  for 
3  <  TV  <  13,  TV  prime,  the  test  in  step  3  does  not  succeed. 

Assume  now  that  TV  is  composite,  so  that  N  =  pq  with  p  and  q  not 
necessarily  distinct  primes,  where  we  may  assume  that  p  <  q.  Consider  the 
convergents  un/vn  of  the  continued  fraction  expansion  of  q/p.  Let  n  be  the 
unique  index  such  that  unvn  <  TV1/3  <  un+ ivn+i  (which  exists  since  pq  > 
TV1/3).  Using  the  elementary  properties  of  continued  fractions,  if  we  set  k  = 
unvn  and  a  =  pvn  +  qun,  it  is  easily  checked  that  the  conditions  of  step  3  are 
met,  thus  proving  the  validity  of  the  algorithm.  □ 

For  each  value  of  k  there  are  at  most  l/2(\/4 kN  +  TV2/3  —  V 4kN)  ~ 
TV1/6/c_1/2/8  values  of  a,  and  since  Y2k<x  ~  2a;1/2,  the  running  time  of 
the  algorithm  is  indeed  0(TV1/3+e)  as  claimed. 

We  refer  to  [Lehl]  for  ways  of  fine  tuning  this  algorithm,  which  is  now 
only  of  historical  interest. 


8.5  Pollard’s  p  Method 

8.5.1  Outline  of  the  Method 

The  idea  behind  this  method  is  the  following.  Let  f(X)  be  a  polynomial 
with  integer  coefficients.  We  define  a  sequence  by  taking  any  initial  xq ,  and 
setting  Xk+i  =  f(%k)  mod  TV.  If  p  is  a  (unknown)  prime  divisor  of  TV,  then 
the  sequence  pk  =  Xk  mod  p  satisfies  the  same  recursion.  Now  if  f(X)  is 
chosen  suitably,  it  is  not  unreasonable  to  assume  that  this  sequence  will  behave 
like  the  sequence  of  iterates  of  a  random  map  from  Z/pZ  into  itself.  Such  a 
sequence  must  of  course  be  ultimately  periodic,  and  a  mathematical  analysis 
shows  that  it  is  reasonable  to  expect  that  the  period  and  preperiod  will  have 
length  0(y/p) .  Now  if  pk+t  =  Pk ,  this  means  that  Xk+t  =  %k  (mod  p),  hence 
that  ( Xk+t  —  Xk,N)  >  1.  Now  this  GCD  will  rarely  be  equal  to  TV  itself,  hence 
we  obtain  in  this  way,  maybe  not  p,  but  a  non-trivial  factor  of  TV,  so  TV  is 
split  and  we  can  look  at  the  pieces.  The  number  of  necessary  steps  will  be 
0(y/p)  =  (^(TV1/4),  and  the  total  time  in  bit  operations  will  be  0(TVx/4  In2 TV). 

Of  course,  we  have  just  given  a  rough  outline  of  the  method.  It  is  clear 
however  that  it  will  be  efficient  since  the  basic  operations  are  simple,  and 
furthermore  that  its  running  time  depends  mostly  on  the  size  of  the  smallest 
prime  factor  of  TV,  not  on  the  size  of  TV  itself,  hence  it  can  replace  trial  division 
or  Lehman’s  method  to  cast  out  small  factors.  In  fact,  it  is  still  used  along 
with  more  powerful  methods  for  that  purpose.  Finally,  notice  that,  at  least  in 
a  primitive  form,  it  is  very  easy  to  implement. 

We  must  now  solve  a  few  related  problems: 

(1)  How  does  one  find  the  periodicity  relation  pk+t  =  Pk^ 

(2)  How  does  one  choose  /  and  xq ? 

(3)  What  is  the  expected  average  running  time,  assuming  /  is  a  random  map? 
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I  would  like  to  point  out  immediately  that  although  it  is  believed  that  the 
polynomials  that  we  give  below  behave  like  random  maps,  this  is  not  at  all 
proved,  and  in  fact  the  exact  mathematical  statement  to  prove  needs  to  be 
made  more  precise. 


8.5.2  Methods  for  Detecting  Periodicity 

From  now  on,  we  consider  a  sequence  yu+i  =  f(Vk)  from  a  finite  set  E  into 
itself.  Such  a  sequence  will  be  ultimately  periodic,  i.e.  there  exists  M  and 
T  >  0  such  that  for  k  >  M,  yk+T  =  yk  but  yM-i+T  ^  2/m-i-  The  number  M 
will  be  called  the  preperiod,  and  T  (chosen  as  small  as  possible)  will  be  the 
period.  If  the  iterates  are  drawn  on  a  piece  of  paper  starting  at  the  bottom 
and  ending  in  a  circle  the  figure  that  one  obtains  has  the  shape  of  the  Greek 
letter  p,  whence  the  name  of  the  method. 

We  would  like  to  find  a  reasonably  efficient  method  for  finding  k  and  t  >  0 
such  that  yk+t  =  yk  (we  do  not  need  to  compute  M  and  T).  The  initial 
method  suggested  by  Pollard  and  Floyd  is  to  compute  simultaneously  with 
the  sequence  yk  the  sequence  Zk  defined  by  zo  =  yo,  Zk+i  =  f{f(zk))-  Clearly 
zk  =  V2k,  and  if  k  is  any  multiple  of  T  which  is  larger  than  M,  we  must  have 
zk  =  y2k  =  yk,  hence  our  problem  is  solved.  This  leads  to  a  simple-minded 
but  nonetheless  efficient  version  of  Pollard’s  p  method.  Unfortunately  we  need 
three  function  evaluations  per  step,  and  this  may  seem  too  many. 

An  improvement  due  to  Brent  is  the  following.  Let  l{m)  be  the  largest 
power  of  2  less  than  or  equal  to  m,  i.e. 

l(m)  =  2^lgmJ, 

so  that  in  particular  l(m)  <m<  2 l(m).  Then  I  claim  that  there  exists  an  m 
such  that  ym  =  yi(m)-i-  Indeed,  if  one  chooses 

m  —  2ng^x(M+1,T)l  _j_  j.  _  ^ 

we  clearly  have  l(m)  =  2^smax(M+1>T)l  hence  l(m )  —  1  >  M  and  m  —  ( l(m )  — 
1)  =  T,  thus  proving  our  claim. 

If  instead  of  computing  an  extra  sequence  Zk  we  compute  only  the  sequence 
yk  and  keep  y2e-i  each  time  we  hit  a  power  of  two  minus  one,  for  every  m 
such  that  2 e  <  m  <  2e+1  it  will  be  enough  to  compare  ym  with  ?/2e-i  (note 
that  at  any  time  there  is  only  one  value  of  y  to  be  kept). 

Hence  Brent’s  method  at  first  seems  definitely  superior.  It  can  however 
be  shown  that  the  number  of  comparisons  needed  before  finding  an  equality 
Vm  =  yi(m)~  l  will  be  on  average  almost  double  that  of  the  initial  Pollard-Floyd 
method.  In  practice  this  means  that  the  methods  are  comparable,  the  lower 
number  of  function  evaluations  being  compensated  by  the  increased  number 
of  comparisons  which  are  needed. 

However  a  modification  of  Brent’s  method  gives  results  which  are  generally 
better  than  the  above  two  methods.  It  is  based  on  the  following  proposition. 
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Proposition  8.5.1. 

(1)  There  exists  an  m  such  that 


Vm  =  yi(m)~  l  and  -l(m)  <m<  2  l(m) . 

(2)  the  least  such  m  is  mo  =3  if  M  =  0  and  T  =  1  (i.e.  if  y\  =  yo),  and 
otherwise  is  given  by 


m0  =  2ngmax(M+l,T)l  + 


i(M)  + 1 
T 


-1, 


where  we  set  1(0)  =  0. 


Proof  Set  e  =  [lgmax(M  +  1,T)].  We  claim  that,  as  in  Brent’s  original 
method,  we  still  have  l(mo )  =  2e.  Clearly,  2e  <  mo,  so  we  must  prove  that 
mo  <  2e+1  or  equivalently  that 


T 


T 


<  2e . 


We  consider  two  cases.  First,  if  T  <  l(M),  then 


T 


'l(M)  4- 1 
T 


<  l(M)+T<  2 l(M)  =  2^m+1)1  <  2e, 


since  [lgMJ  +  1  =  [lg(M  +  1)].  On  the  other  hand,  if  T  >  l(M )  +  1,  then 
i(M)+i  j  _  ^  an^  we  c2ear ly  have  T  <  2e. 

Now  that  our  claim  is  proved,  since  mo  >  M  and  mo  —  (l (mo)  —  1)  is  a 
multiple  of  T  we  indeed  have  ym  =  yi(m)- 1  f°r  m  —  mo.  To  finish  proving 
the  first  part  of  the  proposition,  we  must  show  that  |/(mo)  <  mo  (the  other 
inequality  being  trivial) ,  or  equivalently,  keeping  our  notations  above,  that 


T 


T 


-  1  >  2e_1. 


Now  clearly  the  left  hand  side  is  greater  than  or  equal  to  T  —  1,  and  on 
the  other  hand  2^,gT^_1  <  2lgT  —  1  =  T  —  1.  Furthermore,  the  left  hand 
side  is  also  greater  than  or  equal  to  l(M)  =  2LlgMJ,  but  one  sees  easily  that 
2rig(M+i)l-i  _  2[igMj^  {.j^g  growing  the  first  part  of  the  proposition.  The 
proof  of  the  second  part  (that  is,  the  claim  that  mo  is  indeed  the  smallest)  is 
similar  (i.e.  not  illuminating)  and  is  left  to  the  reader.  □ 


Using  this  proposition,  we  can  decrease  the  number  of  comparisons  in 
Brent’s  method  since  it  will  not  be  necessary  to  do  anything  (apart  from  a 
function  evaluation)  while  m  is  between  2e  and  |2e. 
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8.5.3  Brent’s  Modified  Algorithm 

We  temporarily  return  to  our  problem  of  factoring  N.  We  must  first  explain 
how  to  choose  /  and  xo-  The  choice  of  xq  seems  to  be  quite  irrelevant  for 
the  efficiency  of  the  method.  On  the  other  hand,  one  must  choose  /  carefully. 
In  order  to  minimize  the  number  of  operations,  we  will  want  to  take  for  / 
a  polynomial  of  small  degree.  It  is  intuitively  clear  (and  easy  to  prove)  that 
linear  polynomials  /  will  not  be  random  and  hence  give  bad  results.  The 
quadratic  polynomials  on  the  other  hand  seem  in  practice  to  work  pretty  well, 
as  long  as  we  avoid  special  cases.  The  fastest  to  compute  are  the  polynomials 
of  the  form  f(x)  —  x2  +  c.  Possible  choices  for  c  are  c  =  1  or  c  =  - 1.  On  the 
other  hand  c  =  0  should,  of  course,  be  avoided.  We  must  also  avoid  c  =  — 2 
since  the  recursion  x^+i  =  x£  —  2  becomes  trivial  if  one  sets  Xfc  =  Uk  4-  1/ufc. 

As  already  explained  in  Section  8.5.1,  the  “comparisons”  yk+t  =  Vk  are 
done  by  computing  (xk+t  —  N).  Now,  even  though  we  have  studied  efficient 
methods  for  GCD  computation,  such  a  computation  is  slow  compared  to  a 
simple  multiplication.  Hence,  instead  of  computing  the  GCD’s  each  time,  we 
batch  them  up  by  groups  of  20  (say)  by  multiplying  modulo  N,  and  then  do 
a  single  GCD  instead  of  20.  If  the  result  is  equal  to  1  (as  will  unfortunately 
usually  be  the  case)  then  all  the  GCD’s  were  equal  to  1.  If  on  the  other  hand 
it  is  non-trivial,  we  can  backtrack  if  necessary. 

The  results  and  discussion  above  lead  to  the  following  algorithm. 

Algorithm  8.5.2  (Pollard  p).  Given  a  composite  integer  N,  this  algorithm 
tries  to  find  a  non-trivial  factor  of  N. 

1.  [Initialize]  Set  y  <—  2,  x  <—  2,  xi  <—  2,  k  «—  1,  l  <—  1,  P  <—  1,  c  *—  0. 

2.  [Accumulate  product]  Set  x  *—  x2  4-  1  mod  N,  P  <—  P  •  (xi  —  x)  mod  N  and 
c  «—  c  +  1.  (We  now  have  m  =  21  —  k,  l  =  l(m),  x  =  xm,  x\  —  zz(m)-i-)  If 
c  =  20,  compute  g  <—  ( P,N ),  then  if  g  >  1  go  to  step  4  else  set  y  <—  x  and 
c  < —  0. 

3.  [Advance]  Set  k  <—  k  —  1.  If  k  ^  0  go  to  step  2.  Otherwise,  compute  g  <— 
(P,  N ).  If  g  >  1  go  to  step  4  else  set  x\  *—  x,  k  *—  l,  l  ■*—  21,  then  repeat  k 
times  x  <—  x2  +  1  mod  N,  then  set  y  <—  x,  c  <—  0  and  go  to  step  2. 

4.  [Backtrack]  (Here  we  know  that  a  factor  of  N  has  been  found,  maybe  equal  to 
N ).  Repeat  y  <—  y2+ 1  mod  N,  g  <—  (xi — y,  N)  until  g  >  1  (this  must  occur). 
If  g  <  N  output  g,  otherwise  output  a  message  saying  that  the  algorithm  fails. 
Terminate  the  algorithm. 

Note  that  the  algorithm  may  fail  (indicating  that  the  period  modulo  the 
different  prime  factors  of  N  is  essentially  the  same).  In  that  case,  do  not  start 
with  another  value  of  xo,  but  rather  with  another  polynomial,  for  example 
x2  —  1  or  x2  4-  3. 

This  algorithm  has  been  further  improved  by  P.  Montgomery  ([Mon2]) 
and  R.  Brent  ([Bre2]). 
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8.5.4  Analysis  of  the  Algorithm 

As  has  already  been  said,  it  is  not  known  how  to  analyze  the  above  algorithms 
without  assuming  that  /  is  a  random  map.  Hence  the  analysis  that  we  give 
is  in  fact  an  analysis  of  the  iterates  of  a  random  map  from  a  finite  set  E  of 
cardinality  p  into  itself.  We  also  point  out  that  some  of  the  arguments  given 
here  are  not  rigorous  but  can  be  made  so.  We  have  given  very  few  detailed 
analysis  of  algorithms  in  this  book,  but  we  make  an  exception  here  because 
the  mathematics  involved  are  quite  pretty  and  the  proofs  short. 

Call  P(M,T)  the  probability  that  a  sequence  of  iterates  ym  has  preperiod 
M  and  period  T.  Then  yo>  •  •  •  >  Vm+t-i  are  all  distinct,  and  vm+t  —  Um- 
Hence  we  obtain 

p(M,D  =  i  n  (i-;)- 

y  1  <k<M+T  v  y/ 

Now  we  will  want  to  compute  the  asymptotic  behavior  as  p  — >  oo  of  the 
average  of  certain  functions  over  all  maps  /,  i.e.  of  sums  of  the  form 

S=Y,P(M,T)g(M,T). 

M,T 


Now  if  we  set  M  =  p^/p  and  T  =  Xy/p,  we  have 


ln(p  •  P(M,T))  =  £  l»(l-J)  =  E  (“ +  0 


k<(\+n)y/p 


k<(\+fi)y/p 


Hence  the  limiting  distribution  of  P(M ,  L)dM  dL  is 

le-V+tfVy/pdity/pdX  =  e~V'+tfl2diJ,d\, 
P 

so  our  sum  S  is  asymptotic  to 


k2 


P 2 


/•OO  /'OO 

/  /  (*) 

^0  ^0 

As  a  first  application,  let  us  compute  the  asymptotic  behavior  of  the  average 
of  the  period  T. 


Proposition  8.5.3.  As  p  oo,  the  average  ofT  is  asymptotic  to 
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Proof.  Using  (*),  we  see  that  the  average  of  T  is  asymptotic  to 

noo 

ye~(x+y)2/2dxdy . 

By  symmetry,  this  is  equal  to  one  half  of  the  integral  with  x+  y  instead  of  y, 
and  this  is  easily  computed  and  gives  the  proposition.  □ 


Now  we  need  to  obtain  the  average  of  the  other  quantities  entering  into 
the  expression  for  mo  given  in  Proposition  8.5.1.  Note  that 


T 


~i(M)  +  r 

=  T 

KM) 

T 

T 

+  T. 


We  then  have 
Proposition  8.5.4.  As  p 


oo,  the  average  ofT 


l(M) 

T 


ln7T  — 7^  /  7T p 

2 In 2 


is  asymptotic  to 


where  7  =  0.57721 ...  is  Euler’s  constant. 


Proof.  The  proof  is  rather  long,  so  we  only  sketch  the  main  steps.  Using  (*), 
the  average  of  the  quantity  that  we  want  to  compute  is  asymptotic  to 


S  = 


211&(xVp)\ 
2 ly/p 


e-ix+y)2/2dxdy 


By  splitting  up  the  integral  into  pieces  where  the  floor  is  constant,  it  is  then 
a  simple  matter  to  show  that 


s  =  ^  Xj  jf°  yF{~^ 2rig(ns'^>1 + »)■ dy , 


where  F(y)  =  f^  e  t*/2  dt.  Now  we  assume  that  if  we  replace  [lg {ny^/p)\  by 
lg (ny^/P)  +w>  where  u  is  a  uniformly  distributed  variable  between  0  and  1, 
then  S  will  be  replaced  by  a  quantity  which  is  asymptotic  to  S  (this  step  can 
be  rigorously  justified),  i.e. 


S  ~ 


yF(2uny  +  y)dy. 


Now  using  standard  methods  like  integration  by  parts  and  power  series  ex¬ 
pansions,  we  find 
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*yC(l)-G(l/2) 

8  In  2 

where 

OO  lc  —  ~\ 

G(X)  =  Yl(-l)k-j-ak)xk 

k 

and  £(s)  is  the  Riemann  zeta  function.  Now  from  the  Taylor  series  expansion 
of  the  logarithm  of  the  gamma  function  near  x  =  1,  we  immediately  see  that 

=xTfriy-lnr(I+1)’ 

and  using  the  special  values  of  the  gamma  function  and  its  derivative,  we 
obtain  Proposition  8.5.4.  □ 

In  a  similar  way  (also  by  using  the  trick  with  the  variable  u),  we  can  prove: 

Proposition  8.5.5.  As  p  —>  oo,  the  average  of 

2  fig  max(M+l,T)l 


is  asymptotic  to 

3  j-Kp 

2  In  2  V  ~8~  * 


Combining  these  three  propositions,  we  obtain  the  following  theorem. 


Theorem  8.5.6.  As  p  — >  oo,  the  average  number  of  function  evaluations  in 
Algorithm  8.5.2  is  asymptotic  to 


FE  = 


3  4-  In  47t  —  7 
2ln2 


7T p 


8 


3.1225^, 


and  the  number  of  multiplications  mod  N  (i.e.  implicitly  of  GCD’s)  is  asymp¬ 
totic  to 


MM  “  (tet)/!  "  ““»*■ 


This  terminates  our  analysis  of  the  Pollard  p  algorithm.  As  an  exercise, 
the  reader  can  work  out  the  asymptotics  for  the  unmodified  Brent  method 
and  for  the  Pollard-Floyd  method  of  detecting  periodicity. 
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8.6  Shanks’s  Class  Group  Method 

Another  0(N1/4+e)  method  (and  even  0(N1^5+e)  if  one  assumes  the  GRH) 
is  due  to  Shanks.  It  is  a  simple  by-product  of  the  computation  of  the  class 
number  of  an  imaginary  quadratic  field  (see  Section  5.4).  Indeed,  let  D  =  —  N 
if  N  =  3  (mod  4),  D  =  —  4 N  otherwise.  If  h  is  the  class  number  of  Q(VD) 
and  if  N  is  composite,  then  it  is  known  since  Gauss  that  h  must  be  even  (this 
is  the  start  of  the  theory  of  genera  into  which  we  will  not  go).  Hence,  there 
must  be  an  element  of  order  exactly  equal  to  2  in  the  class  group.  Such  an 
element  will  be  called  an  ambiguous  element,  or  in  terms  of  binary  quadratic 
forms,  a  form  whose  square  is  equivalent  to  the  unit  form  will  be  called  an 
ambiguous  form. 

Clearly,  (a,  6,  c)  is  ambiguous  if  and  only  if  it  is  equivalent  to  its  inverse 
(a,—  b,c),  and  if  the  form  is  reduced  this  means  that  we  have  three  cases. 

(1)  Either  6  =  0,  hence  D  =  —4 ac,  so  N  =  ac. 

(2)  Or  a  =  6,  hence  D  =  6(6  —  4c),  hence  N  =  (6/2)  (2c—  6/2)  if  6  is  even, 
N  =  6(4c  —  6)  if  6  is  odd. 

(3)  Or  finally  a  =  c,  hence  D  =  (6  —  2a)  (6  +  2a)  hence  N  =  (6/2  +  a)  (a  —  6/2) 
if  6  is  even,  N  =  (2a  —  6)  (6  +  2a)  if  6  is  odd. 

We  see  that  each  ambiguous  form  gives  a  factorization  of  N  (and  this  is  a 
one-to-one  correspondence). 

Hence,  Shanks’s  factoring  method  is  roughly  as  follows:  after  having  com¬ 
puted  the  class  number  h,  look  for  an  ambiguous  form.  Such  a  form  will  give 
a  factorization  of  N  (which  may  be  trivial).  There  must  exist  a  form  which 
gives  a  non-trivial  factorization  however,  and  in  practice  it  is  obtained  very 
quickly. 

There  remains  the  problem  of  finding  ambiguous  forms.  But  this  is  easy 
and  standard.  Write  h  =  2 tq  with  q  odd.  Take  a  form  /  at  random  (for 
example  one  of  the  prime  forms  fp  used  in  Algorithm  5.4.10)  and  compute 
g  =  fq  Then  g  is  in  the  2-Sylow  subgroup  of  the  class  group,  and  if  g  is  not 
the  unit  form,  there  exists  an  exponent  m  such  that  0  <  m  <  t  and  such  that 
g2  is  an  ambiguous  form.  This  is  identical  in  group-theoretic  terms  to  the 
idea  behind  the  Rabin-Miller  compositeness  test  (Section  8.2  above). 

We  leave  to  the  reader  the  details  of  the  algorithm  which  can  be  found  in 
Shanks’s  paper  [Shal],  as  well  as  remarks  on  what  should  be  done  when  the 
trivial  factorization  is  found  too  often. 
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8.7  Shanks’s  SQUFOF 

Still  another  0(N1^4+e)  method,  also  due  to  Shanks,  is  the  SQUFOF  (SQUare 
FOrm  Factorization)  method.  This  method  is  very  simple  to  implement  and 
also  has  the  big  advantage  of  working  exclusively  with  numbers  which  are 
at  most  2y/N,  hence  essentially  half  of  the  digits  of  N.  Therefore  it  is  emi¬ 
nently  practical  and  fast  when  one  wants  to  factor  numbers  less  than  1019, 
even  on  a  pocket  calculator.  This  method  is  based  upon  the  infrastructure  of 
real  quadratic  fields  which  we  discussed  in  Section  5.8,  although  little  of  that 
appears  in  the  algorithm  itself. 

Let  D  be  a  positive  discriminant  chosen  to  be  a  small  multiple  of  the 
number  N  that  we  want  to  factor  (for  example  we  could  take  D  =  N  if  N  =  1 
(mod  4),  D  —  4 N  otherwise).  Without  loss  of  generality,  we  may  assume  that 
if  D  =  0  (mod  4),  then  D/4  =  2  or  3  (mod  4),  since  otherwise  we  may  replace 
D  by  D/4,  and  furthermore  we  may  assume  that  D/N  is  squarefree,  up  to  a 
possible  factor  of  4. 

As  in  Shanks’s  class  group  method  seen  in  the  preceding  section,  we  are 
going  to  look  for  ambiguous  forms  of  discriminant  D.  Since  here  D  is  positive, 
we  must  be  careful  with  the  definitions.  Recall  from  Chapter  5  that  we  have 
defined  composition  of  quadratic  forms  only  modulo  the  action  of  Too .  We  will 
say  that  a  form  is  ambiguous  if  its  square  is  equal  to  the  identity  modulo  the 
action  of  Too ,  and  not  simply  equivalent  to  it.  In  other  words,  the  square  of  /  = 
(a,  6,  c)  as  given  by  Definition  5.4.6  must  be  of  the  form  (1,  bf,  c').  Clearly  this 
is  equivalent  to  a  \  b.  Hence,  a  will  be  a  factor  of  D,  so  once  again  ambiguous 
forms  give  us  factorizations  of  D.  The  notion  of  ambiguous  form  must  not  be 
confused  with  the  weaker  notion  of  form  belonging  to  an  ambiguous  cycle  (see 
Section  5.7)  which  simply  means  that  its  square  is  equivalent  to  the  identity 
modulo  the  action  of  PSL2(Z)  and  not  only  of  Too,  i.e.  belongs  to  the  principal 
cycle. 

Now  let  g  =  (a,  b,  c)  be  a  reduced  quadratic  form  of  discriminant  D  such 
that  a  |  c.  We  note  that  since  g  is  reduced  hence  primitive,  we  must  have 
gcd(a,  b)  —  1.  Using  Definition  5.4.6,  one  obtains  immediately  that 

g2  =  (a2, 6,  c/a), 

this  form  being  of  course  not  necessarily  reduced.  This  suggests  the  following 
idea. 

We  start  from  the  identity  form  and  use  the  p  reduction  operator  used 
at  length  in  Chapter  5  to  proceed  along  the  principal  cycle,  and  we  look  for 
a  form  /  =  (A,  B,  C)  such  that  A  is  a  square  (such  a  form  will  be  called  a 
square  form).  We  will  see  in  a  moment  how  plausible  it  is  to  believe  that  we 
can  find  such  a  form.  Assume  for  the  moment  that  we  have  found  one,  and 
set  A  =  a2  and  g  =  (a,  B ,  aC). 

Now  g  may  not  be  primitive.  In  that  case  let  p  be  a  prime  dividing  the 
coefficients  of  g.  Then  if  p  =  2  we  have  4  |  A  and  2  |  B.  Hence,  D  =  B2  = 
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0  or  4  (mod  16),  contradicting  Dj 4  =  2  or  3  (mod  4)  when  4  |  D.  If  p>  2, 
then  p2  |  D  hence  since  D/N  or  D/(4N)  is  squarefree,  we  have  p2  \  N. 
Although  this  case  is  rare  in  practice,  it  could  occur,  so  we  must  compute 
gcd(a,  B),  and  if  this  is  not  equal  to  1  it  gives  a  non-trivial  factor  of  N  (in 
fact  its  square  divides  N),  and  we  can  start  the  factorization  after  removing 
this  factor. 

Therefore  we  may  assume  that  g  is  primitive.  It  is  then  clear  from  the 
definition  that  g 2  =  /,  whence  the  name  “square  form”  given  to  /. 

Now  we  start  from  g~l  =  (a,  —B,  aC)  (which  may  not  be  reduced)  and 
proceed  along  its  cycle  by  applying  the  p  operator.  Since  g2  lies  on  the  principal 
cycle,  the  reduced  forms  equivalent  to  g~l  will  be  on  an  ambiguous  cycle. 

Now  we  have  the  following  proposition. 

Proposition  8.7.1.  Keeping  the  above  notations,  there  exists  an  ambiguous 
form  gi  on  the  cycle  of  g-1  at  exactly  half  the  distance  (measured  with  the  6 
function  introduced  in  Chapter  5)  of  f  from  the  unit  form. 

Proof  We  prove  this  in  the  language  of  ideals,  using  the  correspondence  be¬ 
tween  classes  of  forms  modulo  Too  and  classes  of  ideals  modulo  multiplication 
by  Q*  given  in  Section  5.2. 

Let  a  be  a  representative  of  the  ideal  class  (modulo  Q*)  corresponding  to 
the  quadratic  form  g  =  (a,B,aC).  Then  by  assumption,  a2=7Z k  for  some 
7  e  K  which  is  of  positive  norm  since  A  =  a2  >  0,  and  hence,  in  particular, 
Af('y)=Af(a)2.  Set 


=  7  +  J\f(a)  and  b  =  (3  1a. 


(Note  that  if  desired,  we  can  choose  a  >  0  and  a  to  be  the  unique  primitive 
integral  ideal  corresponding  to  g ,  and  then  a)  =  a.) 

If,  as  usual,  a  denotes  real  conjugation  in  K,  we  have  chosen  (3  such  that 

<r(.P)  V(a)  g(7 ) 

0  7  AT(o) ' 

Although  it  is  trivial  to  give  (3  explicitly,  the  knowledgeable  reader  will  recog¬ 
nize  that  the  existence  of  such  a  f3  is  guaranteed  by  Hilbert’s  Theorem  90. 

Now  I  claim  that  the  quadratic  form  corresponding  to  b  is  the  ambiguous 
form  that  we  are  looking  for.  First,  using  the  equations  given  above,  we  have 


b2  =  /r202  =  -^z  K  = 


1_ 

(32‘ 


MX a) 

.a m 


Ijk 


so  the  ideal  b2  is  indeed  equivalent  up  to  multiplication  by  an  element  of 
Q*  to  the  unit  ideal,  so  if  g\  is  the  quadratic  form  corresponding  to  b-1,  it 
is  ambiguous. 

Second,  we  clearly  have  7/^(7)  =  (f3/cr(f3))2  hence 
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1)=^ln 


p 

=  —  In 

7 

4 

<t(7) 

thus  proving  the  proposition. 


□ 


Using  this  proposition,  we  see  that  with  approximately  half  the  number  of 
applications  of  the  p  operator  that  were  necessary  to  go  from  the  identity  to  /, 
we  go  back  from  g~l  to  an  ambiguous  form.  In  fact,  since  we  know  the  exact 
distance  that  we  have  to  go,  we  could  use  a  form  of  the  powering  algorithm 
to  make  this  last  step  much  faster. 

Now  there  are  two  problems  with  this  idea.  First,  some  ambiguous  forms 
will  correspond  to  trivial  factorizations  of  N.  Second,  we  have  no  guarantee 
that  we  will  find  square  forms  other  than  the  identity.  This  will  for  instance 
be  the  case  when  the  principal  cycle  is  very  short. 

For  the  first  problem,  we  could  simply  go  on  along  the  principal  cycle  if 
a  trivial  factorization  is  found.  This  would  however  not  be  satisfactory  since 
for  each  square  form  that  we  encounter  which  may  correspond  to  a  trivial 
factorization,  we  would  have  to  go  back  half  the  distance  starting  from  g~l 
before  noticing  this. 

A  good  solution  proposed  by  Shanks  is  as  follows.  Assume  for  the  moment 
that  D  =  N  or  D  —  4 N.  We  obtain  trivial  factorizations  of  N  exactly  when  the 
ambiguous  cycle  on  which  g~l  lies  is  the  principal  cycle  itself.  Hence,  f  =  g2 
will  be  a  square  form  which  is  equal  to  the  square  of  a  form  on  the  principal 
cycle.  Since  all  the  forms  considered  are  reduced,  this  can  happen  only  if 
g  =  (a,  6,  c)  with  a2  <  y/D ,  hence  |a|  <  D 1//4,  which  is  quite  a  rare  occurrence. 
When  such  an  a  occurs,  we  store  |a|  in  a  list  of  dubious  numbers,  which  Shanks 
calls  the  queue.  Note  that  the  condition  |a|  <  D1/*  is  a  necessary,  but  in 
general  not  a  sufficient  condition  for  the  form  g  to  be  on  the  principal  cycle, 
hence  we  may  be  discarding  some  useful  numbers.  In  practice,  this  has  little 
importance. 

Now  when  a  square  form  (A,  B,  C)  with  A  =  a2  is  found,  we  check  whether 
a  is  in  the  queue.  If  it  is,  we  ignore  it.  Otherwise,  we  are  certain  that  the  corre¬ 
sponding  square  root  g  is  not  in  the  principal  cycle.  (Note  that  the  distance  of 
the  identity  to  /  =  gz  is  equal  to  twice  the  distance  of  the  identity  to  g.  This 
means  that  if  g  was  in  the  principal  cycle,  we  would  have  encountered  it  before 
encountering  /.)  Hence,  we  get  a  non-trivial  factorization  of  D.  This  may  of 
course  give  the  spurious  factors  occurring  in  D/N,  in  which  case  one  must  go 
on.  In  fact,  one  can  in  this  case  modify  the  queue  so  that  these  factorizations 
are  also  avoided. 

The  second  problem  is  more  basic:  what  guarantee  do  we  have  that  we 
can  find  a  square  form  different  from  the  identity  in  the  principal  cycle?  For 
example,  when  the  length  of  the  cycle  is  short,  there  are  none.  This  is  the 
case,  for  example,  for  numbers  N  of  the  form  N  =  a2  4-  4  for  a  odd,  where  the 
length  of  the  cycle  is  equal  to  1. 

There  are  two  different  and  complementary  answers  to  this  question.  First, 
a  heuristic  analysis  of  the  algorithm  shows  that  the  average  number  of  reduc- 
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tion  steps  necessary  to  obtain  a  useful  square  form  is  0(N1^4)  (no  e  here). 
This  is  much  shorter  than  the  usual  length  of  the  period  which  is  in  general 
of  the  order  of  0(N1/ 2),  so  we  can  reasonably  hope  to  obtain  a  square  form 
before  hitting  the  end  of  the  principal  cycle. 

Second,  to  avoid  problems  with  the  length  of  the  period,  it  may  be  worth¬ 
while  to  work  simultaneously  with  two  discriminants  D  which  are  multiples 
of  N,  for  example  N  and  5 N  when  N  =  1  (mod  4),  SN  and  4iV  when  N  =  3 
(mod  4).  It  is  highly  unlikely  that  both  discriminants  will  have  short  periods. 
In  addition,  although  the  average  number  of  reduction  steps  needed  is  on  the 
order  of  iV1/4,  experiments  show  that  there  is  a  very  large  dispersion  around 
the  mean,  some  numbers  being  factored  much  more  easily  than  others.  This 
implies  that  by  running  simultaneously  two  discriminants,  one  may  hope  to 
gain  a  substantial  factor  on  average,  which  would  compensate  for  the  fact  that 
twice  as  much  work  must  be  done. 

We  now  give  the  basic  algorithm,  i.e.  using  only  D  =  N  if  N  =  1  (mod  4), 
D  —  4 N  otherwise,  and  not  using  the  fact  than  once  g  is  found  we  can  go 
back  much  faster  by  keeping  track  of  distances. 

Algorithm  8.7.2  (Shanks’s  SQUFOF).  Given  an  odd  integer  N,  this  algo¬ 
rithm  tries  to  find  a  non-trivial  factor  of  N. 

1.  [Is  N  prime?]  Using  Algorithm  8.2.2,  check  whether  N  is  a  probable  prime.  If 
it  is,  output  a  message  to  that  effect  and  terminate  the  algorithm. 

2.  [Is  N  square?]  Using  Algorithm  1.7.3,  test  whether  N  is  a  square.  If  it  is,  let 
n  be  its  square  root  (also  given  by  the  algorithm),  output  n  and  terminate  the 
algorithm. 

3.  [Initializations]  If  iV  =  1  (mod  4),  let  D  *—  N,  d  <—  \y/~D\,  6  <—  2[(d  — 
1)/2J  +  1-  Otherwise,  let  D  <—  4N,  d  <—  [\/i)J,  b  <—  2[d/2j.  Then  £et 
/  +—  (1,6,  (62  — D)/A),  Q  <—  0  (Q  is  going  to  be  our  queue),  i  *—  0,  L  *—  \y/d\. 

4.  [Apply  rho]  Let  /  =  (A,B,C)  <—  p(f),  where  p  is  given  by  Definition  5.6.4, 
and  set  i  <—  i  +  1.  If  i  is  odd,  go  to  step  7. 

5.  [Squareform?]  Using  Algorithm  1.7.3,  test  whether  A  is  a  square.  If  it  is,  let  a 
be  the  (positive)  square  root  of  A  (which  is  also  output  by  Algorithm  1.7.3) 
and  if  a  £  Q  go  to  step  8. 

6.  [Short  period?]  If  A  —  1,  output  a  message  saying  that  the  algorithm  ran 
through  the  i  elements  of  the  principal  cycle  without  finding  a  non-trivial 
squareform,  and  terminate  the  algorithm. 

7.  [Fill  queue  and  cycle]  If  |A|  <  L,  set  Q  <—  Q  U  {|A|}.  Go  to  step  4. 

8.  [Initialize  back-cycle]  (Here  we  have  found  a  non-trivial  square  form).  Let  s  <— 
gcd(a,  B,  D).  If  s  >  1,  output  s2  as  a  factor  of  N  and  terminate  the  algorithm 
(or  start  again  with  N  replaced  by  N/s2).  Otherwise,  set  g  <—  (a,  —  B,aC). 
Apply  ptog  until  g  is  reduced,  and  write  g  =  (a,  6,  c). 

9.  [Back-cycle]  Let  b\  <—  b  and  g  —  (a,  6,  c)  <—  p(g).  If  b\  ^  6  go  to  step 
9.  Otherwise,  output  |a|  if  a  is  odd,  |a/2|  if  a  is  even,  and  terminate  the 
algorithm. 
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Some  remarks  are  in  order.  First,  it  is  essential  that  N  be  a  composite 
number,  otherwise  the  queue  will  fill  up  indefinitely  without  the  algorithm 
finding  a  square  form.  Also,  N  must  not  be  a  square,  otherwise  we  do  not 
have  a  quadratic  field  to  work  with.  This  is  the  reason  why  steps  1  and  2  have 
been  explicitly  included. 

Second,  once  these  cases  out  of  the  way,  experiment  shows  that  the  queue 
stays  small.  A  storage  capacity  of  50  is  certainly  more  than  sufficient. 

Third,  during  the  back-cycle  part  of  the  algorithm,  we  need  to  test  whether 
we  hit  upon  our  ambiguous  form.  To  do  this,  we  could  use  the  necessary  and 
sufficient  condition  that  a  |  6.  It  is  however  a  simple  exercise  (see  Exercise  12) 
to  show  that  this  is  equivalent  to  the  condition  bi  =  6  used  in  step  9. 

Several  improvements  are  possible  to  this  basic  algorithm,  including  those 
mentioned  earlier.  For  example,  the  queue  could  be  used  to  shorten  the  back- 
cycle  length,  starting  at  hg~l  instead  of  p_1,  where  h  is  the  form  corresponding 
to  the  last  element  put  in  the  queue.  We  will  not  dwell  on  this  here. 

One  of  the  main  reasons  why  SQUFOF  is  attractive  is  that  it  works  exclu¬ 
sively  with  reduced  quadratic  forms  (a,  b,  c )  of  discriminant  at  most  a  small 
multiple  of  N,  hence  such  that  a,  b  and  c  are  of  the  order  of  iV1/2.  This  im¬ 
plies  that  the  basic  operations  in  SQUFOF  are  much  faster  than  in  the  other 
factoring  algorithms  where  operations  on  numbers  of  size  N  or  N2  must  be 
performed.  Of  course,  this  is  only  a  constant  factor,  but  in  practice  it  is  very 
significant.  Furthermore,  the  algorithm  is  extremely  simple,  so  it  can  easily 
be  implemented  even  on  a  10-digit  pocket  calculator,  and  one  can  then  factor 
numbers  having  up  to  19  or  20  digits  without  any  multi-precision  arithmetic. 

Unfortunately,  SQUFOF  is  not  sensitive  to  the  size  of  the  small  prime 
factors  of  N,  hence  contrary  to  Pollard’s  rho  method,  cannot  be  used  to  cast 
out  small  primes.  So  if  N  has  more  than  25  digits,  say,  SQUFOF  becomes 
completely  useless,  while  Pollard  rho  still  retains  its  value  (although  it  is 
superseded  by  ECM  for  larger  numbers,  see  Chapter  10). 


8.8  The  p  —  1-method 

The  last  factoring  method  which  we  will  study  in  this  chapter  is  a  little  special 
for  two  reasons.  First,  it  is  not  a  general  purpose  factoring  method,  but  a  way 
to  find  quickly  prime  factors  of  N  that  may  be  very  large,  but  which  possess 
certain  properties.  Second,  the  idea  behind  the  method  has  successfully  been 
used  in  some  of  the  most  successful  modern  factoring  method  like  the  elliptic 
curve  method  (see  Section  10.3).  Hence  it  is  important  to  understand  this 
method  at  least  as  an  introduction  to  Chapter  10. 
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8.8.1  The  First  Stage 
We  need  a  definition. 

Definition  8.8.1.  Let  B  be  a  positive  integer.  A  positive  integer  n  will  be 
said  to  be  B-smooth  if  all  the  prime  divisors  ofn  are  less  than  or  equal  to  B. 
We  will  say  that  n  is  B-powersmooth  if  all  prime  powers  dividing  n  are  less 
than  or  equal  to  B. 

These  notions  of  smoothness  are  quite  natural  in  factoring  methods,  and 
we  will  see  that  they  become  essential  in  the  modern  methods.  The  idea  behind 
the  p  —  1  method  is  the  following.  Let  p  be  a  prime  dividing  the  number  N 
that  we  want  to  split  (p  is  of  course  a  priori  unknown).  Let  a  >  1  be  an 
integer  (which  we  can  assume  coprime  to  N  by  computing  a  GCD,  otherwise 
N  will  have  split).  Then  by  Fermat’s  theorem,  ap_1  =  1  (mod  p).  Now  assume 
that  p  —  1  is  B-powersmooth  for  a  certain  B  which  is  not  too  large.  Then  by 
definition  p  —  1  divides  the  least  common  multiple  of  the  numbers  from  1  to 
B,  which  we  will  denote  by  lcm[l..B].  Hence,  a10”1!1-®]  =  i  (modp),  which 
implies  that 

(alcm[l..B]  _l  iV)  >  L 

As  in  the  Pollard  p  method,  if  this  is  tested  for  increasing  values  of  B,  it  is 
highly  improbable  that  this  GCD  will  be  equal  to  N ,  hence  we  will  have  found 
a  non-trivial  divisor  of  N.  This  leads  to  the  following  algorithm,  which  in  this 
form  is  due  to  Pollard. 

Algorithm  8.8.2  (p—  1  First  Stage).  Let  N  be  a  composite  number,  and  B 
be  an  a  priori  chosen  bound.  This  algorithm  will  try  to  find  a  non-trivial  factor 
of  N,  and  has  a  chance  of  succeeding  only  when  there  exists  a  prime  factor  p  of 
N  such  that  p  —  1  is  B-powersmooth.  We  assume  that  we  have  precomputed  a 
table  p[l],  . . .  ,  p[k]  of  all  the  primes  up  to  B. 

1.  [Initialize]  Set  x  *—  2,  y  *—  x,  c  *—  0,  i  *—  0,  and  j  *—  i. 

2.  [Next  prime]  Set  i  <—  i  +  1.  If  i  >  k,  compute  g  <—  (x  —  1,  N).  If  g  =  1  output 

a  message  saying  that  the  algorithm  has  not  succeeded  in  splitting  N,  and 
terminate,  else  set  i  *—  j,  x  *—  y  and  go  to  step  5.  Otherwise  (i.e.  if  i  <  k), 
set  q  <-  p[i\,  qi  *-  q,  l  <—  [B/q\. 

3.  [Compute  power]  While  q\  <  l,  set  qi  *—  q  •  q\.  Then,  set  x  <—  xQl  mod  N, 
c  *—  c  +  1  and  if  c  <  20  go  to  step  2. 

4.  [Compute  GCD]  Set  g  *—  (x  —  1,  N).  If  g  =  1,  set  c  *—  0,  j  <—  i,  y  <—  x  and 
go  to  step  2.  Otherwise,  set  i  *—  j  and  x  <—  y. 

5.  [Backtrack]  Set  i  *—  i  +  1,  q  <—  p[i]  and  q\  *—  q. 

6.  [Finished?]  Set  x  <—  xq  mod  N,  g  <—  (x  —  1,  AT).  If  g  =  1,  set  <7i  <—  q  •  qi  and 

if  qi  <  B,  go  to  step  6,  else  go  to  step  5.  Otherwise  (i.e.  if  g  >  1),  if  g  <  N 

output  g  and  terminate  the  algorithm.  Finally,  if  g  =  N  (a  rare  occurrence), 
output  that  the  algorithm  has  failed  and  terminate. 
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Note  that  this  algorithm  may  fail  for  two  completely  different  reasons.  The 
first  one,  by  far  the  most  common,  occurs  in  step  2,  and  comes  because  N 
does  not  have  any  prime  divisor  p  such  that  p—  1  is  5-power  smooth.  In  fact, 
it  proves  this.  The  second  reason  why  it  may  fail  occurs  in  step  6,  but  this  is 
extremely  rare.  This  would  mean  that  all  the  prime  p  divisors  of  N  are  found 
simultaneously.  If  this  is  the  case,  then  this  means  that  there  certainly  exists 
a  p  dividing  N  which  is  5-powersmooth.  Hence,  it  may  be  worthwhile  to  try 
the  algorithm  with  a  different  initial  value  of  x,  for  example  x  <—  3  instead  of 
x  * —  2. 

Even  in  this  simple  form,  the  behavior  of  the  p  —  1  algorithm  is  quite 
impressive.  Of  course,  it  does  not  pretend  to  be  a  complete  factoring  algorithm 
(in  fact  when  N  =  (2 p  +  1)(2<7  + 1)  where  p,  q,  2p  + 1  and  2<j  +  1  are  primes 
with  p  and  q  about  the  same  size,  the  running  time  of  the  algorithm  will  in 
general  be  0(Nl^2+e)  if  we  want  to  factor  N  completely,  no  better  than  trial 
division).  On  the  other  hand,  it  may  succeed  in  finding  very  large  factors  of  N , 
since  it  is  not  the  size  of  the  prime  factors  of  N  which  influence  the  running 
time  but  rather  the  smoothness  of  the  prime  factors  minus  1. 

The  size  of  5  depends  essentially  on  the  time  that  one  is  willing  to  spend. 
It  is  however  also  strongly  conditioned  by  the  existence  of  a  second  stage  to 
the  algorithm  as  we  shall  see  presently.  Usual  values  of  B  which  are  used 
are,  say,  between  105  and  106. 


8.8.2  The  Second  Stage 

Now  an  important  practical  improvement  to  the  p  —  1  algorithm  (which  one 
also  uses  in  the  modern  methods  using  similar  ideas)  is  the  following.  It  may 
be  too  much  to  ask  that  there  should  exist  a  prime  divisor  p  of  N  such  that 
p  —  1  is  5-power  smooth.  It  is  more  reasonable  to  ask  that  p  —  1  should  be 
completely  factored  by  trial  division  up  to  5.  But  this  means  that  p—  1  =  fq, 
where  /  is  5-smooth,  and  q  is  a  prime  which  may  be  much  larger  than  5  (but 
not  than  52).  For  our  purposes,  we  will  slightly  strengthen  this  condition  and 
assume  that  N  has  a  prime  factor  p  such  that  p  —  1  =  fq  where  f  is  B\- 
powersmooth  and  q  is  a  prime  such  that  B\  <  q  <  52,  where  B\  is  our  old  5, 
and  52  is  a  much  larger  constant.  We  must  explain  how  we  are  going  to  find 
such  a  p.  Of  course,  p  —  1  is  52-powersmooth  so  we  could  use  the  p—  1  alg¬ 
orithm  with  5i  replaced  by  52-  This  is  however  unrealistic  since  B2  is  much 
larger  than  B\. 

Now  we  have  as  usual 


(a9icm[i  ■®1]  —  i,iV)  >  1 

and  we  will  proceed  as  follows.  At  the  end  of  the  first  stage  (i.e.  of  Algorithm 
8.8.2  above),  we  will  have  computed  b  *—  a1001!1--#!]  mod  N.  We  store  a  table 
of  the  difference  of  primes  from  B\  to  B2.  Now  these  differences  are  small,  and 
there  will  not  be  many  of  them.  So  we  can  quickly  compute  bd  for  all  possible 
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differences  d,  and  obtain  all  the  bq  by  multiplying  successively  an  initial  power 
of  b  by  these  precomputed  bd.  Hence,  for  each  prime,  we  replace  a  powering 
operation  by  a  simple  multiplication,  which  is  of  course  much  faster,  and  this 
is  why  we  can  go  much  further.  This  leads  to  the  following  algorithm. 

Algorithm  8.8.3  (p  —  1  with  Stage  2).  Let  AT  be  a  composite  number,  and 
B\  and  B2  be  a  priori  chosen  bounds.  This  algorithm  will  try  to  find  a  non-trivial 
factor  of  N,  and  has  a  chance  of  succeeding  only  when  there  exists  a  prime  factor 
p  of  N  such  that  p  —  1  is  equal  to  a  Bi-powersmooth  number  times  a  prime  less 
than  or  equal  to  B2.  We  assume  that  we  have  precomputed  a  table  p[l],  . . . ,  p[ki] 
of  all  the  primes  up  to  B\  and  a  table  d[  1],  . . .,  dffo]  of  the  differences  of  the 
primes  from  B\  to  B2,  with  d[l]  =  p[ki  +  1]  —  p[ki],  etc  . . . 

1.  [First  stage]  Using  B  =  B\,  try  to  split  N  using  Algorithm  8.8.2  (i.e.  the 
first  stage.  If  this  succeeds,  terminate  the  algorithm.  Otherwise,  we  will  have 
obtained  a  number  x  at  the  end  of  Algorithm  8.8.2,  and  we  set  b  *—  x,  c  +—  0, 
P  *—  1,  i «—  0,  j  *—  i  and  y  *—  x. 

2.  [Precomputations]  For  all  values  of  the  differences  d[i]  (which  are  small  and 
few  in  number),  precompute  and  store  bd M.  Set  x  <—  xp^klh 

3.  [Advance]  Set  i  <—  i  +  1,  £  x  ■  bdW  (using  the  precomputed  value  of  bd M), 
P  <—  P  •  (x  —  1),  c  <—  c  4- 1.  If  i  >  k2,  go  to  step  6.  Otherwise,  if  c  <  20,  go 
to  step  3. 

4.  [Compute  GCD]  Set  g  *—  ( P,N ).  If  g  =  1,  set  c  <—  0,  j  *—  i,  y  <—  x  and  go  to 
step  3. 

5.  [Backtrack]  Set  i  j,  x  <—  y.  Then  repeat  x  <—  x  •  bdW,  i  *—  i  4- 1,  g  *— 
(x  —  1,N)  until  g  >  1  (this  must  occur).  If  g  <  N  output  g  and  terminate 
the  algorithm.  Otherwise  (i.e.  if  g  =  N,  a  rare  occurrence),  output  that  the 
algorithm  has  failed  (or  try  again  using  x  <—  3  instead  of  x  +—  2  in  the  first 
step  of  Algorithm  8.8.2),  and  terminate. 

6.  [Failed?]  Set  g  <—  ( P,N ).  If  g  =  1,  output  that  the  algorithm  has  failed  and 
terminate.  Otherwise  go  to  step  5. 

In  this  form,  the  p  —  1  algorithm  is  much  more  efficient  than  using  the  first 
stage  alone.  Typical  values  which  could  be  used  are  B\  =  2  •  106,  B 2  —  108. 
See  also  [Mon2]  and  [Bre2]  for  further  improvements. 


8.8.3  Other  Algorithms  of  the  Same  Type 

The  main  drawback  of  the  p  —  1  algorithm  is  that  there  is  no  reason  for  N 
to  have  a  prime  divisor  p  such  that  p  —  1  is  smooth.  As  with  the  primality 
tests  (see  Section  8.3.2),  we  can  also  detect  the  primes  p  such  that  p+  1  is 
smooth,  or  also  p2+p+l,  p2  +  l,  p2  —  p  +  1  (although  since  these  numbers 
are  much  larger,  their  probability  of  being  smooth  for  a  given  bound  B  is 
much  smaller).  We  leave  as  an  exercise  for  the  reader  (Exercise  13)  to  write 
an  algorithm  when  p  +  1  is  B-powersmooth. 
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8  Factoring  in  the  Dark  Ages 


We  see  that  the  number  of  available  groups  which  give  numbers  of  reason¬ 
able  size  (here  F*  and  F*2  /F* ,  which  give  p  —  1  and  p  + 1  respectively)  is  very 
small  (2)  and  this  limits  the  usefulness  of  the  method.  The  idea  of  the  elliptic 
curve  method  (ECM)  is  to  use  the  group  of  points  of  an  elliptic  curve  over 
Fp,  which  also  has  approximately  p  elements  by  Hasse’s  Theorem  7.1.8,  and 
this  will  lead  to  a  much  better  algorithm  since  we  will  have  at  our  disposal  a 
large  number  of  groups  of  small  size  instead  of  only  two.  See  Section  10.3  for 
details. 


8.9  Exercises  for  Chapter  8 

1.  Show  that  an  odd  prime  number  p  is  a  strong  pseudo-prime  in  any  base  not 
divisible  by  p. 

2.  If  iV  is  the  46  digit  composite  number  due  to  Arnault  given  in  the  text  as  an 
example  of  a  strong  pseudoprime  to  all  prime  bases  a  <  31,  compute  explicitly 
a('v-i)/*  mo(j  pj  £or  £hese  a  anfj  show  that  —1  has  at  least  5  different  square 
roots  modulo  N  (showing  clearly  N  that  is  not  prime  even  without  knowing  its 
explicit  factorization).  From  this  remark,  deduce  a  strengthening  of  the  Rabin- 
Miller  test  which  would  not  be  passed  for  example  by  Arnault’s  number. 

3.  Show  that  if  N  is  any  odd  integer,  the  congruence 

aN~l  =— 1  (mod  AT) 
is  impossible.  More  generally,  show  that 

ak  =— 1  (mod  N ) 

implies  that 

v2(k)  <v2  (~2~)' 

The  following  four  exercises  are  due  to  H.  W.  Lenstra. 

4.  Show  that  there  are  only  a  finite  number  of  integers  N  such  that  for  all  a  €  Z 
we  have 

aN+1  =  a  (mod  AT), 

and  give  the  complete  list. 

5.  Let  AT  be  a  positive  integer  such  that  2N  =  1  (mod  N).  Show  that  N  =  1. 

6.  Let  a  be  a  positive  integer  such  that  a4+4a  is  a  prime  number.  Show  that  a  =  1. 

7.  Show  that  there  exists  infinitely  many  n  for  which  at  least  one  of  22  +1  or 

nTl 

6  +  1  is  composite. 

*yk 

8.  Denote  by  Fk  the  k-th  Fermat  number,  i.e.  Fk  =  2  +1. 

a)  Show  manually  that  Fk  is  prime  for  0  <  k  <  4  but  that  641  |  F5 . 

b)  Let  h  >  1  be  an  integer  such  that  h  =  1  (mod  F0F1F2F3F4).  If  h2n  +  1 
is  prime  show  that  32  |  n. 

c)  Conclude  that  there  exists  an  a  such  that  if 
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h  =  a  (mod  F0F1F2F3F4F5) 
and  h  >  1,  then  for  all  n,  h2n  +  1  is  composite. 

A  k 

9.  Let  N  =  2  +  1  be  a  Fermat  number.  Prove  that  in  this  case  Proposition  8.3.1 

can  be  made  more  precise  as  follows:  N  is  prime  if  and  only  if  3^''-i)/‘!  =  —  1 
(mod  N)  (use  the  quadratic  reciprocity  law). 

10.  Using  implicitly  the  finite  field  F N2 ,  write  a  primality  testing  algorithm  in  the 
case  where  N  +  1  is  completely  factored,  using  a  proposition  similar  to  8.3.1. 

11.  Using  the  algorithm  developed  in  Exercise  10,  show  that  the  Mersenne  number 
N  =  2P  —  1  is  prime  if  and  only  p  is  prime  and  (for  p  ^  2)  if  the  sequence 
defined  by  uo  =  4  and  Uk+ 1  =  u\— 2  mod  N  satisfies  up~  2  =  0  (this  is  called 
the  Lucas-Lehmer  test). 

12.  Let  g  =  (a,  b,  c)  and  <71  =  (ai,6i,ci)  =  p(g )  be  reduced  forms  with  positive 
discriminant.  Show  that  g\  is  an  ambiguous  form  if  and  only  if  6  =  61 . 

13.  The  p  —1-algorithm  is  based  on  the  properties  of  the  finite  field  Fp.  Using  instead 
the  field  Fp2 ,  develop  a  p  +  1-factoring  algorithm  for  use  when  a  prime  factor  p 
of  N  is  such  that  p  + 1  is  J3-powersmooth  for  some  reasonable  bound  B. 

14.  Let  N  be  a  number  to  be  factored.  Assume  that  after  one  of  the  factoring  algo¬ 
rithms  seen  in  this  chapter  we  have  found  a  number  a  such  that  d  =  gcd (N,  a) 
satisfies  1  <  d  <  N  hence  gives  a  non- trivial  divisor  of  N.  Write  an  algorithm 
which  extracts  as  much  information  as  possible  from  this  divisor  d,  i.e.  which 
finds  Ni  and  N2  such  that  N  =  N1N2,  gcd(iVi,  N2)  =  1  and  d  \  Ni. 


Chapter  9 

Modern  Primality  Tests 


In  Section  8.3,  we  studied  various  primality  tests,  essentially  the  N  —  1  test, 
and  saw  that  they  require  knowing  the  factorization  of  N  —  1  (or  N  + 1,  . . .  ), 
which  are  large  numbers.  Even  though  only  partial  factorizations  are  needed, 
the  tests  of  Section  8.3  become  impractical  as  soon  as  N  has  more  than  100 
digits,  say.  A  breakthrough  was  made  in  1980  by  Adleman,  Pomerance  and 
Rumely,  that  enabled  testing  the  primality  of  much  larger  numbers.  The  APR 
test  was  further  simplified  and  improved  by  H.  W.  Lenstra  and  the  author, 
and  the  resulting  APRCL  test  was  implemented  in  1981  by  A.  K.  Lenstra  and 
the  author,  with  the  help  of  D.  Winter.  It  is  now  possible  to  prove  the  pri¬ 
mality  of  numbers  with  1000  decimal  digits  in  a  not  too  unreasonable  amount 
of  time.  The  running  time  of  this  algorithm  is  0((lniV)c,lnlnlniV)  for  a  suit¬ 
able  constant  C.  This  is  almost  a  polynomial  time  algorithm  since  for  all 
practical  purposes  the  function  In  In  In  AT  acts  like  a  constant.  (Note  that  the 
practical  version  of  the  algorithm  is  probabilistic,  but  that  there  exists  a  non- 
probabilistic  but  less  practical  version.) 

We  will  describe  the  algorithm  in  Section  9.1,  without  giving  all  the  the 
implementation  tricks.  The  reader  will  find  a  detailed  description  of  this  al¬ 
gorithm  and  its  implementation  in  [Coh-Len2],  [Coh-Len3]  and  [Bos-Hul]. 

In  1986,  another  primality  testing  algorithm  was  invented,  first  for  theo¬ 
retical  purposes  by  Goldwasser  and  Kilian,  and  then  considerably  modified  so 
as  to  obtain  a  practical  algorithm  by  Atkin.  This  algorithm  has  been  imple¬ 
mented  by  Atkin  and  Morain,  and  is  also  practical  for  numbers  having  up  to 
1000  digits.  The  expected  running  time  of  this  algorithm  is  0(ln6N),  hence 
is  polynomial  time,  but  this  is  only  on  average  since  for  some  numbers  the 
running  time  could  be  much  larger.  A  totally  non-practical  version  using  a 
higher  dimensional  analog  of  this  test  has  been  given  by  Adleman  and  Huang, 
and  they  can  prove  that  their  test  is  polynomial  time.  In  other  words,  they 
prove  the  following  theorem  ([Adl-Hua]). 

Theorem  9.1.  There  exists  a  probabilistic  polynomial  time  algorithm  which 
can  prove  or  disprove  that  a  given  number  N  is  prime. 

Their  proof  is  pretty  but  very  complex,  and  this  theorem  is  one  of  the 
major  achievements  of  theoretical  algorithmic  number  theory. 

We  will  describe  Atkin’s  practical  primality  test  in  Section  9.2,  and  we 
refer  to  [Atk-Mor]  and  to  [Mor2]  for  implementation  details. 
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9  Modern  Primality  Tests 


9.1  The  Jacobi  Sum  Test 

The  idea  of  the  APRCL  method  is  to  test  Fermat- type  congruences  in  higher 
degree  number  fields,  and  more  precisely  in  certain  well  chosen  cyclotomic 
fields.  We  need  a  few  results  about  group  rings  in  this  context. 


y.1.1  liroup  Kings  of  Cyclotomic  extensions 

Recall  first  the  following  definitions  and  results  about  cyclotomic  fields  (see 
[Was]). 

Definition  9.1.1.  If  n  is  a  positive  integer,  the  n-th  cyclotomic  field  is  the 
number  field  Q((n),  where  (n  is  a  primitive  n-th  root  of  unity,  for  example 
Cn  =  e2i7r/n. 


Proposition  9.1.2.  Let  K  =  Q(Cn)  be  the  n-th  cyclotomic  field. 

(1)  The  extension  K/Q  is  a  Galois  extension,  with  Abelian  Galois  group  given 
by 


G  =  Gal  (K/Q)  =  {a  a,  (a,n)  =  1,  where  aa(Cn)  =  Cl¬ 
in  particular,  the  degree  of  K/Q  is  <f>(n),  where  <p  is  Euler’s  phi  function. 
(2)  The  ring  of  integers  of  K  is  Z k  =  Z[£n]- 

We  now  come  to  the  definition  of  a  group  ring.  We  could  of  course  bypass 
this  definition,  but  the  notations  would  become  very  cumbersome. 

Definition  9.1.3.  Let  G  be  any  finite  group.  The  group  ring  Z[G]  is  the  set 
of  maps  ( not  necessarily  homomorphisms)  from  G  to  Z  with  the  following  two 
operations.  If  fi  and  f2  are  in  Z [G\,  we  naturally  define 

(fi  +  /2)(cr)  =  /i(cr)  -f  /2(cr) 

for  all  a  €  G.  The  multiplication  law  is  more  subtle,  and  is  defined  by 

fi  ■  f2{a)  =  ^2  /i(T)/2(r_lcr)- 

t€G 


The  name  group  ring  is  justified  by  the  easily  checked  fact  that  the  above 
operations  do  give  a  ring  structure  to  Z[G\.  If  for  /  €  Z [G],  we  set  formally 

f=  /(*)[*]» 

<j€G 
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where  [a]  is  just  a  notation,  then  it  is  easy  to  see  that  addition  and  multiplica¬ 
tion  become  natural  Z-algebra  laws,  if  we  set,  as  is  natural,  [01]  •  [<72]  =  [cr\cr2]. 
This  is  the  notation  which  we  will  use.  Note  also  that  although  we  have  only 
defined  group  rings  Z[G ]  for  finite  groups  G,  it  is  easy  to  extend  this  to  infi¬ 
nite  groups  by  requiring  that  all  but  a  finite  number  of  images  of  the  maps  be 
equal  to  0  (in  order  to  have  finite  sums). 

We  can  consider  Z  as  a  subring  of  Z[G]  by  identifying  n  with  n[l],  where 
1  is  the  unit  element  of  G,  and  we  will  use  this  identification  from  now  on. 

We  now  specialize  to  the  situation  where  G  =  Gal(iir/Q)  for  a  number 
field  K  Galois  over  Q,  and  in  particular  to  the  case  where  K  is  a  cyclotomic 
field.  By  definition,  the  group  G  acts  on  K,  and  also  on  all  objects  naturally 
associated  to  K :  the  unit  group,  the  class  group,  etc  . . .  One  can  extend  this 
action  of  G  in  a  natural  way  to  an  action  of  Z[G]  in  the  following  way.  If 
/  e  Z[G]  and  x  €  K,  then  we  set 

f(x)  =  [I  a(x)fi<r)- 

a£G 

In  the  expanded  form  where  we  write  /  =  J2aeG  n<r  H  >  one  sees  immediately 
that  this  corresponds  to  a  multiplicative  extension  of  the  action  of  G ,  and 
suggests  using  the  notation  x f  instead  of  f(x)  so  that 

x*  =  a(x)n<T. 
a£G 

Indeed,  it  is  easy  to  check  the  following  properties  (x,  xi  and  £2  are  in  K  and 
/,  fi  and  f2  are  in  Z[G]): 

(1)  xA+A  =  x^1  •  x^2 . 

(2)  ®A-/a  =  (xh)h  =  (xh)f\ 

(3)  (£1  +  x2)f  —  x{  +  X2 

(4)  (£i£2)^  =  x{x{ 

We  now  fix  a  prime  number  p  and  an  integer  k,  and  consider  the  n-th 
cyclotomic  field  K ,  where  n  =  pk.  Let  G  be  its  Galois  group,  which  is  the  set 
of  all  aa  for  a  €  (Z/nZ)*  by  Proposition  9.1.2.  Since  it  is  Abelian,  the  group 
ring  Z[G]  is  a  commutative  ring.  Set 

p  =  {/  €  Z[G]  /  if  =  1}, 

where  £p  =  e2l7r/p  is  a  primitive  pth  root  (not  pk )  of  unity.  Then  one  checks 
immediately  that  p  is  an  ideal  of  Z[G].  In  fact,  if  /  =  ]Cae(z/nZ)*  naWa],  then 
/  €  p  if  and  only  if  /Cae(z/nZ)*  ana  =  0  (mod  p).  This  shows  that  the  number 
of  cosets  of  Z[G]  modulo  p  is  equal  to  p  (the  number  of  different  incongruent 
sums  J2ana  modulo  p),  hence  that  p  is  in  fact  a  prime  ideal  of  degree  one 
(i.e.  of  norm  equal  to  p).  Clearly,  it  is  generated  over  Z  by  p  (i.e.  p[l])  and  all 
the  a  —  [<ra] . 
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9.1.2  Characters,  Gauss  Sums  and  Jacobi  Sums 

Recall  that  a  character  (more  precisely  a  Dirichlet  character)  x  modulo  q 
is  a  group  homomorphism  from  ( TLjqL )*  to  C*  for  some  integer  q.  This  can 
be  naturally  extended  to  a  multiplicative  map  from  (Z/</Z)  to  C  by  setting 
X(x)  =  0  if  x  £  (Z/qZ)*.  It  can  then  be  lifted  to  a  map  from  Z  to  C,  which 
by  abuse  of  notation  we  will  still  denote  by  x ■  The  set  of  characters  modulo  q 
forms  a  group,  and  for  instance  using  Section  1.4.1  one  can  easily  show  that 
this  group  is  (non-canonically)  isomorphic  to  (Z/gZ)*,  and  in  particular  has 
4>{q)  elements.  The  unit  element  of  this  group  is  the  character  xo  such  that 
Xo(^)  =  1  if  (%,q)  —  1  and  0  otherwise. 

Proposition  9.1.4.  Let  x  be  a  character  different  from  xo-  Then 

^2  x(x)=Q- 

xe(Z/qZ)* 

Dually ,  if  x  ^  1  (mod  q),  then 


^2x{x)  =  0, 

x 

where  the  sum  is  over  all  characters  modulo  q. 

Proof.  Since  x  ^  Xo>  there  exists  a  number  a  coprime  to  q  such  that  x(&)  ^  1. 
Set  S  =  x(x)-  Since  x  is  multiplicative  we  have  xia)S  —  YZX  x(ax)-  Since  a 

is  coprime  to  q  and  hence  invertible  modulo  q,  the  map  x  ax  is  a  bijection  of 
(Z/gZ)*  onto  itself.  It  follows  that  xia)S  —  Y2y  x(y)  =  S,  and  since  x(a)  ^  1» 
this  shows  that  S  =  0  as  claimed.  The  second  part  of  the  proposition  is  proved 
in  the  same  way  using  the  existence  of  a  character  xi  such  that  Xi(x)  7^  1 
when  x  ^  1  (mod  q).  □ 

The  order  of  a  character  x  is  the  smallest  positive  n  such  that  xia)n  =  1 
for  all  integers  a  prime  to  q,  in  other  words  it  is  the  order  of  x  considered  as 
an  element  of  the  group  of  characters  modulo  q. 

Definition  9.1.5. 

(1)  Let  x  be  a  character  modulo  q.  The  Gauss  sum  r(x)  is  defined  by 

r(x)=  E  xwcj, 

xeiz/qzy 

where  as  usual  =  e2tx/q. 

(2)  Let  xi  and  X2  be  two  characters  modulo  q.  The  Jacobi  sum  j(xuX2)  is 
defined  by 

j(X i,X2)=  Xi(x)X2(l  ~x)- 

x€(Z/qZ)* 
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Note  that  since  we  have  extended  characters  by  0,  we  can  replace  (Z/gZ)* 
by  Z/gZ,  and  also  that  in  the  definition  of  Jacobi  sums,  one  could  exclude 
x  =  1  which  contributes  0  to  the  sum. 

From  the  definitions,  it  is  clear  that  if  x  is  a  character  modulo  g  of  order 
n  (hence  n  |  0(g)),  then 

T(x)  ^  Z[Cn>  Cg] ) 

while  if  xi  and  X'l  are  two  characters  modulo  q  of  order  dividing  n,  then 

j(Xi,X2)  €  Z[£n]. 

This  will  in  general  be  a  much  simpler  ring  than  Z[(n,  £9],  and  this  observation 
will  be  important  in  the  test. 

The  basic  results  about  Gauss  sums  and  Jacobi  sums  that  we  will  need 
are  summarized  in  the  following  proposition.  Note  that  we  assume  that  q  is  a 
prime,  which  makes  things  a  little  simpler. 


Proposition  9.1.6. 

(1)  Let  x  ^  Xo  be  a  character  modulo  a  prime  q.  Then 

t(x)t{x)=x(-  1)<1  and  lr(x)l  =Vq  • 

(2)  Let  xi  and  X2  two  characters  modulo  q  such  that  X1X2  ^  Xo •  Then 


j{X  1,X2) 


t{xi)t{X2) 

t{xiX2) 


Proof.  To  simplify  notations,  except  if  explicitly  stated  otherwise,  the  sum¬ 
mations  will  always  be  over  (Z/gZ)*,  and  we  abbreviate  (q  to  (.  We  have: 

t(xMx)  =  x(x)C  x{y)Cv  =  x (*)  x{y)x(y)Cv{1+t\ 

x  y  t  y 

by  setting  x  =  ty.  Since  x(y)x(y)  —  1)  the  inner  sum  is  simply  a  sum  of  powers 
of  £,  and  since  q  is  prime,  is  a  geometric  series  whose  sum  is  equal  to  —1  if 
1  4- 1  ^  0  and  to  q  —  1  otherwise.  Hence,  our  product  is  equal  to 

-  x{t)  +  (g  -  i)x(-i)  =  gx(-i)  -  J2x(t)  =  qx(-i) 

t/-i  t 

by  Proposition  9.1.4.  Finally,  note  that 

r(x)  =  ^2x(-x)C  =  x(-iMx), 

X  X 

and  the  first  part  of  the  proposition  is  proved. 
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The  second  part  is  proved  analogously.  We  have 

r{x  1MX2)  =  EE  xi(*)X2  (v)(x+v  =  EE  xi{t)xiX2(y)(v{1+t) 

x  y  t  y 

by  setting  x  =  ty.  Now  by  setting  x  =  ay  it  is  clear  that  for  any  x  ^  Xo  we 
have 

0  if  a  =  0  (mod  q ) 

X.(a)T(x)  otherwise. 

Hence,  since  X1X2  7^  Xoi  we  have 

t(Xi)t(X2)  =  r(xiX2)  ^2  Xi{t)xiX2(^+t)  =  r{xiX2)^2xi(u)X2Ci--u) 

tjt-l  u 

if  we  set  u  =  t/(l  + 1)  which  sends  bijectively  {Z/qZ)  \  {0,  —1}  onto  (Z/gZ)  \ 
{0, 1},  proving  the  identity.  □ 


'll  ' 


9.1.3  The  Basic  Test 

We  now  come  back  to  our  basic  purpose,  i.e.  testing  the  primality  of  a  number 
N.  It  is  assumed  that  N  has  already  passed  the  Rabin-Miller  test  8.2.2,  so 
that  it  is  highly  improbable  that  N  is  composite.  The  aim  is  to  prove  that  N 
is  prime. 

In  this  section,  we  fix  a  prime  p  and  a  character  x  of  order  pk  modulo  a 
prime  q  (hence  with  pk  |  (q  —  1)).  We  can  of  course  assume  that  N  is  prime  to 
p  and  q.  We  set  for  simplicity  n  =  pk,  and  denote  by  (£n)  the  group  of  n-th 
roots  of  unity,  which  is  generated  by  £n.  We  shall  use  a  modified  version  of 
Fermat’s  theorem  as  follows. 

Proposition  9.1.7.  Let  (3  €  Z [(?].  Then  if  N  is  prime,  there  exists  tj(x)  £ 
(£n)  such  that 

t(x)Hn-„„)=v{x)-0N  (modJV)i  (*„) 

where  in  fact  p(x)  =  x{N). 

Note  that  we  consider  Z[G ]  as  acting  not  only  on  Q(£n)  but  also  on 
Q(Cn>  C?)>  the  action  being  trivial  on  £9.  Note  also  that  the  congruences  modulo 
N  are  in  fact  modulo  NZ[(n,  £g]. 

Proof  We  know  that  in  characteristic  N,  {Ylak)N  =  ^2ak  slnce  the  binomial 
coefficients  (^)  are  divisible  by  N  if  0  <  i  <  N.  Hence, 

T(x)W  =  =  Ex(N~lx)NG  =  x(N)-Nt(xN )  (mod  N) 

X  X 
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and  the  proposition  follows  since  t(xN)  =  T{xYN  by  definition  of  <jjy.  Note 
that  t(x)  is  also  coprime  to  N  since  by  Proposition  9.1.6,  t(x)t(x)  =  q  is 
coprime  to  N.  □ 

This  proposition  is  a  generalization  of  Fermat’s  theorem  since  one  checks 
immediately  that  if  we  take  n  =  p  =  2  and  (3  =  1,  the  proposition  is  equivalent 
to  the  statement  gl^-1)/2  =  ±1  (mod  N).  What  we  are  now  going  to  prove 
is  in  essence  that  if,  conversely,  condition  (*p)  is  satisfied  for  a  number  of 
characters  x  (with  different  pk  and  q),  then  we  can  easily  finish  the  proof  that 
N  is  prime.  First,  we  prove  the  following 

Lemma  9.1.8.  Let  N  be  any  integer,  and  assume  that  (*@)  is  satisfied.  Then 
(1)  For  alii  >  0 


r(x)f3^N  °Ni^  =  r)(x)  ^tN  (mod  N). 


(2) 


/3^V(p-1)pfc  X-l^ 


t(x)  v  )  =  r)(x)0pk  1  (modiV). 

(3)  If  r  is  prime  and  coprime  to  p  and  q  then 


T(x) 


l  J  =  X(r)p 


(mod  r). 


Proof  Assertion  (1)  follows  from  (*p)  by  induction  on  i  using  the  identity 

Ni+1  -  aNi+ 1  =Ni(N-  aN )  +  aN  (Nl  -  aNi) 

and  r}{xYN  =  v(x)N  since  p(x)  €  (Cn)-  For  (2)  we  apply  the  first  assertion  to 
i  =  (p  —  1  )pk~1  and  use  Euler’s  Theorem  1.4.2  which  tells  us  that 

N(p-i)pk~1  =  1  (mod 

The  last  assertion  follows  immediately  since  Proposition  9.1.7  tells  us  that 
(*0)  is  satisfied  for  a  prime  number  r  with  (3  =  1  and  p(x)  =  x(r)-  a 


We  now  introduce  a  condition  which  will  be  crucial  to  all  our  future  work. 
We  will  show  that  this  condition  is  a  consequence  of  (*p)  conditions  for  suitable 
characters  x-  This  means  that  it  will  have  a  similar  nature  to  the  Fermat  tests, 
but  it  is  much  more  convenient  to  isolate  it  from  the  rest  of  the  tests. 

Definition  9.1.9.  We  say  that  condition  Cp  is  satisfied  ( with  respect  to  N  of 
course)  if  for  all  prime  divisors  r  of  N  and  all  integers  a  >  0  we  can  find  an 
integer  lp(r,  a)  such  that 
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rP~l  =  N(p-l)lP(r,a)  (mod  pay 


Note  that  if  N  is  prime  this  condition  is  trivially  satisfied  with  lp(r,  a)  =  1. 
We  will  see  later  that  this  condition  is  not  as  difficult  as  it  looks  and  that  it 
can  easily  be  checked.  For  the  moment,  let  us  see  what  consequences  we  can 
deduce  from  it.  Note  first  that  if  lp(r,a )  exists  for  all  primes  r  dividing  N,  it 
exists  by  additivity  for  every  divisor  r  of  N. 

Note  also  that  condition  Cp  is  more  nicely  stated  in  p-adic  terms,  but  we 
will  stay  with  the  present  definition.  One  consequence  of  this  fact  which  we 
will  use  (and  prove  later)  is  the  following  result. 

Lemma  9.1.10.  Let  u  =  vp  (iVp-1  —  l)  if  p  >  3,  u  =  v%  ( N 2  —  l)  if  p  =  2. 
Then  for  a  >  b  >  u  we  have 

lP(r,a )  =  lp(r,  b)  (mod  pb~u). 


The  main  consequence  of  condition  Cp  which  we  need  is  the  following. 

Proposition  9.1.11.  Assume  that  condition  Cp  is  satisfied. 

(1)  If  x  satisfies  (*/g)  for  some  j3  £  p,  then  for  all  sufficiently  large  a  and  all 
r  I  N  we  have 


xW  =xWlpM  and  ??(x)=xW- 

(2)  If  ip  is  a  character  modulo  a  power  of  p  and  of  order  a  power  of  p,  then 
we  also  have 

ip(r)  =  tP(N)l^r’a) 

for  sufficiently  large  a. 

Proof.  Set  for  simplicity  x  =  r(x)^-  From  the  first  part  of  Lemma  9.1.8  we 
have 

xN"v  1>V  -1  =  1  (mod  N ). 

Set  N^p~^pk  —  1  =  peN\  with  p  \  N\.  Set  t  =  lp(r,  max(e,  k  +u)),  where  u  is 
as  in  Lemma  9.1.10.  Then  again  using  the  first  part  of  Lemma  9.1.8  we  have 

=  v(xr'3{p~1)eN<T~l'‘r(xN<P~"‘)0  (mod  JV) 

=  Vixy^-W'-'T^-'Y  (mod  N) 

since  p(x)  and  x  are  of  order  dividing  pk.  If  r  is  a  prime  divisor  of  N,  we  have 
by  Proposition  9.1.7 
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1  =x(r)  ^(p  1)rP  1r[xrP  (mod  r) 


X 


\  (3 

XrP  )  is  invertible  modulo  r  by  Proposition  9.1.6,  we  obtain 

finally 

x(N<~p  }  ~rP  )  =  £0(p-i)rp  (moci  r)  with  (  =  x{r)r){'X)~i • 

Now  from  our  choice  of  £,  we  have  N (p-1^  =  rp_1  (mod  pe ),  hence 


Ni  (nIp-W  -  rp_1)  =  0  (mod  JV(p_1)pfc  -  1). 

So  if  we  combine  this  with  our  preceding  congruences  we  obtain 

=  j  =  (mod  f)_ 

Now  we  trivially  have  Ni(3(p  —  l)rp_1  ^  p  since  p  is  a  prime  ideal  and  none 
of  the  factors  belong  to  p.  Since  £  is  a  pfc-th  root  of  unity,  the  definition  of  p 
implies  that  it  must  be  equal  to  1,  i.e.  that 

X(r)  =  r){xY  =  v(x)lp{r,a) 

for  a  sufficiently  large,  and  for  all  prime  r  dividing  N  (by  Lemma  9.1.10  and 
our  choice  of  £).  By  additivity  of  lp  (i.e.  lp{rr' ,a)  =  /p(r,  a)  +  lp(r',a ))  it  im¬ 
mediately  follows  that  this  is  true  for  all  divisors  r  of  N,  not  only  prime 
ones.  In  particular,  it  is  true  for  r=N  and  since  we  can  take  lp(N,a )  =  1  we 
have  x{N)  =  r/{x )  and  the  first  part  of  the  proposition  is  proved. 

For  the  second  part,  if  ^  is  of  order  pkl  modulo  pk2  then  if  we  take 
£  =  lp(r,  max(fci,  it  is  clear  that  i])  (rp_1)  =  V7  (iVp_1)^  and  since  p  —  1  is 
coprime  to  the  order  of  ip  we  immediately  get  the  second  part  of  the  propo¬ 
sition.  Note  that  we  have  implicitly  used  Lemma  9.1.10  in  the  proof  of  both 
parts.  □ 


From  this  result,  we  obtain  the  following  theorem  which  is  very  close  to 
our  final  goal  of  proving  N  to  be  prime. 


Theorem  9.1.12.  Lett  be  an  even  integer,  let 

e{t)=  2  Y[  qv*W+1 

q  prime 
(9-1)1* 

and  assume  that  (N,te(t))  =  1.  For  each  pair  of  prime  numbers  ( p,q )  such 
that  (q  —  1)  |  t  and  pk\\(q  —  1),  let  Xp,q  be  a  character  modulo  q  of  order  pk 
(for  example  Xp,q  ( 9q )  =  Cpk  if  9q  is  a  primitive  root  modulo  q).  Assume  that 

(1)  For  each  pair  ( p ,  q)  as  above  the  character  x  =  Xp,q  satisfies  condition  (*/?) 
for  some  f3  p  (but  of  course  depending  on  p  and  q). 

(2)  For  all  primes  p  1 1,  condition  Cp  is  satisfied. 
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Then  for  every  divisor  r  of  N  there  exists  an  integer  i  such  that  0  <  i  <  t 
satisfying 

r  =  Nl  (mod  e(t)). 


Proof  From  Proposition  9.1.11  and  Lemma  9.1.10,  there  exists  a  sufficiently 
large  a  such  that  x(r)  =  x(N)lp^r,a^  for  every  a  and  every  x  =  Xp,q •  By  the 
Chinese  remainder  Theorem  1.3.9,  we  can  find  l(r)  defined  modulo  t  such  that 
l(r)  =  lp(r,a)  (mod  pv p^)  for  all  primes  p  dividing  £,  hence  since  pk  \  (q  —  1)  | 
t,  for  all  p  and  q  as  above  we  have 


Xp,q(r )  —  Xp,q 


Now  I  claim  that  Xq  =  rip|(g-i)  Xp,g  is  a  character  of  order  exactly  q  —  1. 
Indeed,  if  xo  is  the  trivial  character  modulo  q,  then  Xq  =  Xo  implies  that  for 
every  pk\\(q-l), 


a(q-l)/pk 

Ap,q 


=  Xo, 


hence  since  Xp,q  is  of  order  a  power  of  p,  hence  prime  to  (q  —  \)/pk,  that 
Xp>q  =  Xo •  This  shows  that  pk  \  a  since  Xp,q  is  °f  order  exactly  equal  to  pk. 
Since  this  is  true  for  every  p  |  q  —  1,  we  have  (q  —  1)  |  a,  thus  proving  our 
assertion. 

Hence,  Xq  is  a  generator  of  the  group  of  characters  modulo  q,  and  this 
implies  that  for  any  character  xi  modulo  q  we  have  Xi(r)  =  Xi 

Now  let  x  be  a,  character  modulo  qvi(t)+1+6  where  6  =  0  if  q  >  2,  6  =  1 
if  q  =  2.  We  can  write  x  =  XiX2,  where  xi  is  a  character  modulo  q  and  X2 
modulo  qv^(t)+1+s  of  order  dividing  qvi(t)+1+6-(1+s)  =  qvqtt)  (this  follows 
from  Theorem  1.4.1).  Hence,  if  q  \  £,  x  =  Xi  so  x(r)  =  x(N1^)-  On  the  other 
hand,  if  q  \  t,  then  by  assumption,  condition  Cq  is  satisfied.  Hence,  by  Prop¬ 
osition  9.1.11  (2)  we  have 

X2(r)  =  X2(N?M  =  X2(n1^) 


since  X2  is  of  order  qv^  and  l{r)  =  lq(r,a)  (mod  qv«W)  for  a  sufficiently 
large.  Therefore  for  every  x  modulo  e(£)  this  equality  is  true,  and  this  proves 
that 

r  =  N W  (mod  e(t)). 


Finally  note  that  for  every  prime  q  such  that  (q  —  1)  |  t  we  have 


N(q-l)q^  =  j  (mod  qvq(t)+l +6^ 


Hence,  Nl  =  1  (mod  e(£)),  so  we  may  reduce  the  exponent  l(r)  modulo  t,  thus 
proving  the  theorem.  □ 


Corollary  9.1.13.  We  keep  all  the  notations  and  assumptions  of  the  theorem. 
Set  r*  =  Nl  mod  e(t),  so  that  0  <  r*  <  e{t).  If  e{t)  >  y/N  and  if  for  every  i 
such  that  0  <  i  <  t  we  have  r*  =  1  or  ri  =  N  or  ri  \  N,  then  N  is  prime. 
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Proof.  If  N  was  not  prime,  there  would  exist  a  prime  divisor  r  of  N  such  that 
1  <  r  <  y/N  <  e(t),  and  by  the  theorem  there  would  exist  i  <  t  such  that 
r  =  Nz  (mod  e(t))  hence  r  =  r*,  contradiction.  □ 


9.1.4  Checking  Condition  £p 

We  must  now  see  how  to  check  condition  £p,  and  incidentally  prove  Lemma 
9.1.10.  We  have  the  following  result: 

Lemma  9.1.14. 

(1)  If  p>  3,  condition  £p  is  equivalent  to  the  inequality 

vp  (rp_1  -  l)  >  vp  (W-1  -  l). 

(2)  For  p  =  2,  condition  £2  is  equivalent  to  the  inequality 

max(i>2 (r  —  l),U2(r  —  N ))  >  V2  ( N 2  —  l). 


Proof  That  condition  Cp  implies  the  above  inequalities  is  trivial  and  left  to 
the  reader.  Conversely,  assume  they  are  satisfied,  and  consider  first  the  case 
p  >  3.  Set  u  =  vp  [Np~l  —  l).  Then  it  is  easy  to  prove  by  induction  on  a  >  0 
that  there  exist  integers  Xi  for  0  <  i  <  l  satisfying  0  <  Xi  <  p  and  such  that 
if  we  set  lp(r ,  a  +  u)  =  X^ocicz  we  wiM  have 

rp-l  ^  N(p—l)lp(r,a+u)  (mod  pa+uj 

A  similar  induction  works  for  p  =  2  with  u  =  v 2  (N2  —  l)  and  a  +  u  replaced 
by  a  +  u  —  1.  This  proves  both  the  above  lemma  and  Lemma  9.1.10  since  the 
Xi  are  independent  of  a.  □ 

Corollary  9.1.15.  If  p  >  3  and  Np  1  ^  1  (mod  p2),  then  condition  Cp  is 
satisfied. 

This  is  clear,  since  in  this  case  vp[Np~l  —  l)  =  1.  □ 

This  result  is  already  useful  for  testing  £p,  but  it  is  not  a  systematic  way 
of  doing  so.  Before  giving  a  more  systematic  result,  we  need  another  lemma. 

Lemma  9.1.16.  Let  a  and  b  be  positive  integers,  and  let  x  be  in  7L [Cp*,Cg]- 
Assume  that  for  an  integer  r  coprime  to  p  we  have  the  congruences 

xa  =  r]a  (mod  r)  and  xb  =  775  (mod  r), 
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where  rja  and  rjb  are  primitive  roots  of  unity  of  order  pla  and  plb  respectively, 
where  la  and  lb  are  less  than  or  equal  to  k. 

Assume,  in  addition,  that  la  >  lb  and  la  >  1.  Then: 

Up\V)  'Up\Oi)  — la  Lb  tj  Lb  O, 

Vp(&)  ^ la  if  lb  —  0. 


Proof.  Write  a  —  pVp^m,  b  =  pVp^n  so  p  \  mn.  If  we  had  vp(a)  >  vp(b),  then, 
computing  xan  in  two  different  ways  (an  =  pvp(a)~vp(b)bm)  we  would  obtain 

^  (a)  —  Vn(b) 

nn  _  mp  **' 

’la  ’lb 


so  la  <  lb,  contrary  to  our  assumption.  Hence,  vp(b)  >  vp(a),  and  we  can  now 
similarly  compute  xmb  in  two  different  ways,  giving 


c  - 


i'his  immediately  implies  the  lemma.  Note  that  a  congruence  between  roots 
of  unity  of  order  a  power  of  p  is  in  fact  an  equality  since  p  is  coprime  to  r.  □ 


The  main  result  which  allows  us  to  test  condition  Cp  is  the  following: 


Proposition  9.1.17.  Assume  that  we  can  find  a  character  \  modulo  q,  of 
order  pk  and  a  ft  p,  for  which  (*/?)  is  satisfied  with  rj(x)  a,  primitive  pk-th 
root  of  unity.  Then,  if  one  of  the  following  supplementary  conditions  is  true, 
condition  Cp  is  satisfied: 

(1)  Ifp  >  3; 

(2)  Ifp  =  2,  k  =  1  and  N  =  1  (mod  4); 

(3)  Ifp  =  2,  k  >  2  and  q(N -1)/2  =  —  1  (mod  N). 


Proof.  Assume  that  p  >  3.  By  Lemma  9.1.8,  if  r  is  a  prime  divisor  of  N  and 
if  we  set  x  =  r(x)13,  then  we  have 

xn(p  )p  -1  =  f](x)^v  (mod  r) 

and 

xr(P  )P  -1  =  xir)(3p  1  (mod  r). 

Since  (3  £  p,  r](xYp"  "  is  a  primitive  p-th  root  of  unity.  From  Lemma  9.1.16, 
we  deduce  that 

wp(r(p“1)pfc"x  - 1)  -  Vp(jv(p-1)pfc_1  -  l)  >  0. 

But,  since  p  >  3  for  any  integer  m  we  have 
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vp  (mSp  l^pk  1  —  1^  =  k  —  1  4-  vp  (mp  1  —  l), 


hence 

vp  (rp_1  -  l)  >  vp  (iVp_1  -  l) 

and  this  proves  the  theorem  in  this  case  by  Lemma  9.1.14. 

The  proof  of  the  two  other  cases  is  similar  and  left  to  the  reader  (see 
Exercise  5).  □ 

It  is  easy  to  show  that  if  N  is  prime,  one  can  always  find  a  x  satisfying 
the  hypotheses  of  Proposition  9.1.17.  In  practice,  such  a  y,  if  not  already 
found  among  the  x  which  are  used  to  test  (*/g),  will  be  found  after  a  few 
trials  at  most.  Strictly  speaking,  however,  this  part  of  the  algorithm  makes 
it  probabilistic,  but  in  a  weak  sense.  A  non-probabilistic,  but  less  practical 
version  also  exists  (see  [APR]). 


9.1.5  The  Use  of  Jacobi  Sums 


It  is  clear  that  we  now  have  an  asymptotically  fast  primality  testing  algorithm. 
In  this  form,  however,  it  is  far  from  being  practical.  The  main  reason  is  as 
follows:  we  essentially  have  to  test  a  number  of  conditions  of  the  form  (*p)  for 
certain  /0’s  and  characters.  This  number  is  not  that  large,  for  example  if  N 
has  less  than  100  decimal  digits,  less  than  80  tests  will  usually  be  necessary. 
The  main  problem  lies  in  the  computation  of  t(x)^^n~ijn^  mod  N.  One  needs 
to  work  in  the  ring  Z[(pk,  C9],  and  this  will  be  hopelessly  slow  (to  take  again 
the  case  of  N  <  10100,  we  can  take  t  =  5040,  hence  pk  will  be  very  small,  more 
precisely  pk  <  16,  but  q  will  be  much  larger,  the  largest  value  being  q  =  2521). 
We  must  therefore  find  a  better  way  to  test  these  conditions.  The  reader  may 
have  wondered  why  we  have  carried  along  the  element  ft  €  Z[G],  which  up  to 
now  was  not  necessary.  Now,  however  we  are  going  to  make  a  specific  choice 
for  /3,  and  it  will  not  be  ft  =  1.  We  have  the  following  proposition. 


Proposition  9.1.18.  Let  x  be  a  character  modulo  q  of  order  pk,  and  let  a 
and  b  be  integers  such  that  p  \  ab(a  +  b) .  Denote  by  E  be  the  set  of  integers  x 
such  that  1  <  x  <pk  and  p  \  x.  Finally,  let 


“  =  E 

xeE 


a 


-i 

X 


and 


0--E( 

xeE  x 


xa 

xb 

x(a  +  b) 

_pk  _ 

+ 

pk 

a 


-l 

X 


Then,  we  have 

T(XfiN-^  =  j{Xa,Xb)a  ■ 
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Proof.  Set 


e^w.-'sziG], 

xeE 


An  easy  computation  shows  that  for  any  integer  r  not  divisible  by  p  we  have 


©((Tr  ~r)  =  -pk 

x(EE 


a 


-i 

X  • 


Using  this  formula  for  r  =  N ,  a,  b  and  a  +  b  (which  are  all  coprime  to  p) 
obtain 


0(N  —  <tn)  =  pka 


we 


and 


0(aa  +  Ob  ~  ca+b)  =  0(cra  -a  +  ab-b  -  ( ua+b  -  (a  4-  b)))  =  pk(3, 


hence 

/5(iV  <7jv)  0:(<Ja  d*  O’ 5  O" a+b)  ■ 

Now  it  follows  from  Proposition  9.1.6  that 

j(xa,xb )  =  T(x)ffa+<T,,-aa+6, 

and  our  proposition  follows. 


□ 


One  sees  from  this  proposition  that  if  we  can  find  suitable  values  of  a  and 
6,  we  can  replace  taking  powers  of  r(x),  which  are  in  a  large  ring,  by  powers 
of  a  Jacobi  sum,  which  are  in  the  much  smaller  ring  Z[(p*].  This  is  the  basic 
observation  needed  to  make  this  test  practical. 

However  this  is  not  enough.  First,  note  that  the  condition  p  \  ab(a  +  b) 
excludes  immediately  the  case  p  =  2,  which  will,  as  usual,  have  to  be  treated 
separately.  Hence,  we  first  assume  that  p  >  3.  Recall  that  to  get  anything 
useful  from  (*0)  we  must  have  (3  ^  p.  This  is  easily  dealt  with  by  the  following 
lemma. 


Lemma  9.1.19.  With  the  notations  of  the  above  proposition,  a  necessary  and 
sufficient  condition  for  (3  ^  p  is  that 

ap  +  bp  ^  (a  +  b)p  (mod  p2) . 


Proof.  If  we  set 


K  = 


-E( 

xeE  x 


xa 

xb 

x(a  +  6)  i 

_ pk  _ 

+ 

pk 

r 

?r 

L 

x 


-1 
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where  x~l  is  an  inverse  of  x  modulo  pk,  it  is  clear  from  the  definition  of  p  that 
(3  £  p  is  equivalent  to  p  \  K.  Now  by  computing  the  product  of  ax  for  x  €  E 
in  two  different  ways,  it  is  easy  to  show  that  if  p  \  a 


E 

XkzE 


a(p-l)pfe_1  _  1 


(mod  pk) 


(A) 


(see  Exercise  1).  The  lemma  follows  immediately  from  this  identity  and  the 
congruence 


a(P-i)P  - 1 


p * 


aP~l  -  1 


P 


(mod  p) 


(see  Exercise  2). 


□ 


From  this  we  obtain  the  following. 

Proposition  9.1.20.  If  3  <  p  <  6  •  109  and  p^  1093,  3511,  we  can  take 
a  —  b  =  1 .  In  other  words,  if  we  take 

0=  E  a* 1 

pk /2<x<pk  ,p\x 


then  (3  cf  p  and  condition  (*p)  is  equivalent  to  the  congruence 

j(x,xT  =V(x)~cN  (mod  N) , 


where  as  before 


and 


a  = 


E 


a 


-l 

X 


c=2- 


2(p-i)p( 


k~  1 


1 


Proof  By  the  preceding  lemma,  we  can  take  a  =  b  =  1  if  we  have  2P  ^  2 
(mod  p2).  This  congruence  is  exactly  the  Wieferich  congruence  which  occurs 
for  the  first  case  of  Fermat’s  last  theorem  and  has  been  tested  extensively  (see 
[Leh2]).  One  knows  that  the  only  solutions  for  p  <  6  •  109  are  p  =  1093  and 
p  =  3511.  The  proposition  now  follows  from  Proposition  9.1.18  and  formula 
(A)  for  a  =  2.  □ 

Note  that  the  restriction  on  p  in  the  above  proposition  is  completely  ir¬ 
relevant  in  practice.  Even  if  we  were  capable  one  day  of  using  this  test  to 
prove  the  primality  of  numbers  having  109  decimal  digits,  we  would  never 
need  primes  as  large  as  1093.  This  means  that  we  have  solved  the  practical 
problem  of  testing  (*0)  for  p  >  3. 
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The  case  p  =  2  is  a  little  more  complicated,  since  we  cannot  use  the  above 
method.  Let  us  first  assume  that  k  >  3.  We  must  now  consider  the  triple 
Jacobi  sum  defined  by 


J3(Xi,X2,X3)  =  2^  XiO«OX2(y)X3(2), 

x+y+z= 1 


where  the  variables  x,  y  and  z  range  over  Fg.  A  similar  proof  to  the  proof  of 
Proposition  9.1.6  shows  that  if  X1X2X3  is  not  the  trivial  character,  then 


J3(X1,X2,X3) 


t(xiMX2Mx3) 
t{x  1X2X3) 


and  in  particular, 

MX,X,X)  =t{x)3~,J3- 

Now  what  we  want  is  an  analog  of  Proposition  9.1.18.  This  can  be  easily 
obtained  for  one  half  of  the  values  of  N  as  follows. 


Proposition  9.1.21.  Let  x  be  a  character  modulo  q  of  order  2k  with  k  >  3. 
Denote  by  E  be  the  set  of  integers  x  such  that  1  <  x  <  2k  and  x  congruent  to 
1  or  3  modulo  8.  Finally,  let 


«  =  £ 

xeE 


Nx 

2k 


0 


-1 

X 


and 


/»=£ 

xEE 


3x 

2F 


<7 


-1 

X  ‘ 


Then,  if  N  is  congruent  to  1  or  3  modulo  8,  we  have 


=  h(x,x,x)a  ■ 


Furthermore,  [3  £  p. 

Proof  The  proof  is  essentially  the  same  as  that  of  Proposition  9.1.18,  using 
®  =  :€E  xcrx  x.  The  condition  on  N  is  necessary  since  0(crr  —  r)  does  not 

take  any  special  form  if  r  is  not  congruent  to  1  or  3  modulo  8.  The  restriction 
to  these  congruences  classes  is  also  mandatory  since  (Z/2fcZ)*  is  not  cyclic 
but  has  cyclic  subgroups  of  index  2.  (We  could  also  have  taken  for  E  those 
x  congruent  to  1  or  5  modulo  8,  but  that  would  have  required  the  use  of 
quintuple  Jacobi  sums).  □ 

When  N  is  congruent  to  5  or  7  modulo  8,  we  use  the  following  trick:  —  N 
will  be  congruent  to  1  or  3  modulo  8,  hence  Q{o-n  +  N)  will  have  a  nice 
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form.  But  on  the  other  hand,  it  is  immediate  to  transform  condition  (*/g)  into 
a  condition  involving  ct-n  +  N : 

t(xV-n+N  =  t(x)n-^t(xn)t(x-N) 
and  by  Proposition  9.1.6  we  have 


t{xNMx  N )  =  X(~l )Q  =  ~Q  > 

the  last  equality  coming  from  x(— 1)  =  (— l)^-1)/2*  —  — i.  This  enables  us  to 
give  a  proposition  analogous  to  Proposition  9.1.21  for  N  congruent  to  5  or  7 
modulo  8. 

Proposition  9.1.22.  Let  x  be  a  character  modulo  q  of  order  2k  with  k  >  3. 
Denote  by  E  be  the  set  of  integers  x  such  that  1  <  x  <  2k  and  x  congruent  to 
1  or  3  modulo  8.  Finally,  let 


ot  i 


+  1 


and 


x€E 


3x 

¥ 


a 


-l 

X 


Then,  if  N  is  congruent  to  5  or  7  modulo  8,  we  have 


r{x)0{ ”  °n)  =  j3(x,X,X)ai(~Q)  P  • 


Furthermore,  ft  £  p. 

The  proof  of  this  proposition  follows  immediately  from  what  we  have  said 
before  and  is  left  to  the  reader.  □ 


Corollary  9.1.23.  Let  x  and  E  be  as  in  the  proposition.  Set  6n  =  0  if  N  is 
congruent  to  1  or  3  modulo  8,  6^  =  1  if  N  is  congruent  to  5  or  7  modulo  8. 
We  may  replace  condition  (*@)  by  the  following  condition: 


(j{x,x)Kx,X2))lX  j2bn  (x2<V  ’\x3'5r  “J  =  {~1)6nv{x)  cN  (mod  N)  , 


where 


and 


a 


-l 

X 


c  =  3- 


2k 
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Proof.  Note  first  that  using  the  formulas  linking  triple  Jacobi  sums  with  Gauss 
sums,  and  the  analogous  formula  for  ordinary  Jacobi  sums  (Proposition  9.1.6), 
we  have 

hix,  x>  x)  =  j(x>  x)i(x>  x2) 

and  this  is  the  most  efficient  way  to  compute  j%. 

Now  if  N  is  congruent  to  1  or  3  modulo  8,  the  result  follows  immediately 
from  Proposition  9.1.21  and  formula  (A)  for  a  =  3. 

Assume  now  that  N  is  congruent  to  5  or  7  modulo  8.  From  Proposition 
9.1.22,  formula  (A)  and  the  identity 


E 

x£E 


3x 

¥ 


=  2k~2 


-1, 


we  obtain 

J3(x,x,x)ai  =v{x)~cN{-(i)d 

with  d  =  2k~ 2  —  1.  It  is  clear  that  the  corollary  will  follow  from  this  formula 
and  the  following  lemma: 

Lemma  9.1.24.  Set  7  =  ¥>xeEax  1  and  d  =  2fc-2  —  1.  We  have  the  identity: 

Mx,  x,  x)7  =  9di2(x2fe-3,x3'2fe~3)- 


Proof.  Using  the  formula  expressing  triple  Jacobi  sums  in  terms  of  Gauss  sums, 
we  have 

J3(X,X>X)7  =  II  ^(X1)- 

Now  we  have  the  following  theorem,  due  to  Hasse  and  Davenport  (see  for 
example  [Was]  and  [Ire-Ros]). 

Theorem  9.1.25  (Hasse-Davenport).  Let  ip  be  any  character  and  Xi  a  char¬ 
acter  of  order  exactly  equal  to  m.  We  have  the  identity 

II  r(V,X?)  =-r{ipm)ip-m{m)  U  r(x*). 

0<i<m  0<x<m 


Applying  this  identity  to  ip  =  x°,  Xi 
tion  on  l  that 


,  one  easily  shows  by  indue- 


II  r2(xa+"2fc~*)  =  «2‘-V2  (x2'“)  x(2)-“i2'+1. 

0<n<2J 
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If  we  now  take  l  =  k  —  3  and  multiply  the  identities  for  a  =  1  and  a  =  3,  we 
easily  obtain  the  lemma  by  using  Proposition  9.1.6,  thus  proving  our  corollary. 

□ 

Note  that  one  can  give  a  direct  proof  of  Lemma  9.1.24  without  explicitly 
using  the  Hasse- Davenport  theorem  (see  Exercise  3). 

We  have  assumed  that  k  >  3.  What  remains  is  the  easy  case  of  k  <  2.  Here 
we  have  the  following  proposition,  whose  proof  is  an  immediate  consequence 
of  Proposition  9.1.6. 

Proposition  9.1.26.  For  p  =  2  and  k  =  1,  condition  (*i)  is  equivalent  to 
the  congruence 

{-q)iN~1)/2  =rj{x)  (mod  N)  . 

Forp=  2  and  k  =  2,  condition  (*i)  is  equivalent  to  the  congruence 
j(x ,  x){N~1)/2q(N~1)/4  =  pixy1  (mod  N) 
if  N  =  1  (mod  4),  and  to  the  congruence 

j{x ,  x)(N+1)/2qiN~3)/4  =  -rj{x)  (mod  N) 
if  N  =  3  (mod  4) . 

This  ends  our  transformation  of  condition  (*@)  into  conditions  involving 
only  the  ring  Z[(pk]. 


9.1.6  Detailed  Description  of  the  Algorithm 

We  can  now  give  a  detailed  and  complete  description  of  the  Jacobi  sum  pri- 
mality  test. 

Algorithm  9.1.27  (Precomputations).  Let  B  be  an  upper  bound  on  the  num¬ 
bers  that  we  want  to  test  for  primality  using  the  Jacobi  sum  test.  This  algorithm 
makes  a  number  of  necessary  precomputations  which  do  not  depend  on  N  but 
only  on  B. 

1.  [Find  t]  Using  a  table  of  e(t),  find  a  t  such  that  e2(t)  >  B. 

2.  [Compute  Jacobi  sums]  For  every  prime  q  dividing  e(t)  with  q  >  3,  do  as 
follows. 

(1)  Using  Algorithm  1.4.4,  compute  a  primitive  root  gq  modulo  q,  and  a  table 
of  the  function  f(x)  defined  for  1  <  x  <  q  —  2  by  1  —  g*  =  gq^  and 
1  <  f(x)  <  q  —  2. 

(2)  For  every  prime  p  dividing  <7  — 1,  let  k  =  vp(q— 1)  and  let  Xp,q  be  the  character 
defined  by  xP,g  (ffq)  =<£*• 
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(3)  If  p  >  3  or  p  =  2  and  k  =  2,  compute 

J{P,V)  =  3{Xp,q>Xp,q)  =  ^2  < xptf{x)- 

\<x<q—2 

If  p  =  2  and  k>3,  compute  J(2,g)  as  above, 

3(xlA,X2,q)  =  £  C22r/W. 

1<x<q— 2 

•M?)  =  j3(X2,g,X2,g,X2,q)  =  J{2,  q)j{xl,q,  X2,q) 

and 


^(9)=^(xt3.x!;D  =  f  E  cf+/w) 

\l<x<g— 2  / 


Note  that  it  is  very  easy  to  build  once  and  for  all  a  table  of  e(t).  For 
example,  e(5040)  «  1.532  •  1052  hence  t  =  5040  can  be  used  for  numbers 
having  up  to  104  decimal  digits,  e(720720)  «  2.599- 10237,  for  numbers  having 
up  to  474  decimal  digits  (see  however  the  remarks  at  the  end  of  this  section). 

The  Jacobi  sum  primality  testing  algorithm  is  then  as  follows. 


Algorithm  9.1.28  (Jacobi  Sum  Primality  Test).  Let  N  be  a  positive  integer. 
We  assume  that  N  is  a  strong  pseudo-prime  in  20  randomly  chosen  bases  (so  that 
N  is  almost  certainly  prime).  We  also  assume  that  N  <  B  and  that  the  precom¬ 
putations  described  in  the  preceding  algorithm  have  been  made.  This  algorithm 
decides  (rigorously!)  whether  N  is  prime  or  not. 

1.  [Check  GCD]  If  (te(t),N)  >  1,  then  N  is  composite  and  terminate  the  algo¬ 
rithm. 


2.  [Initialize]  For  every  prime  p  \  t,  set  lp  *—  1  if  p  >  3  and  Np  1  ^  1  (mod  p2), 
lp  +—  0  otherwise. 

3.  [Loop  on  characters]  For  each  pair  (p,  q)  of  primes  such  that  pk\\{q  —  1)  |  t, 
execute  step  4a  if  p  >  3,  step  4b  if  p  =  2  and  k  >  3,  step  4c  if  p  =  2  and 
k  =  2,  step  4d  if  p  =  2  and  k  =  1.  Then  go  to  step  5. 


4a. [Check  (*0)  for  p  >  3]  Let  E  be  the  set  of  integers  between  0  and  pk 


which  are  not  divisible  by  p.  Set  0 


jxEE  Xax 


N  mod  pk ,  a 


*x(zE 


rx 
pk  j 


p  1 


,  and  compute  si  <—  J{p,q)&  mod  N,  S2  *—  mod  N, 


and  finally  S(p,  q )  =  S2J(p ,  q)a  mod  N. 

If  there  does  not  exist  a  pk- th  root  of  unity  77  such  that  S(p,q)  =  77 
(mod  N),  then  N  is  composite  and  terminate  the  algorithm.  If  77  exists  and  if 
it  is  a  primitive  pfc-th  root  of  unity,  set  lp  +—  1. 
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4b. [Check  (*0)  for  p  =  2  and  k  >  3]  Let  E  be  the  set  of  integers  between 
0  and  2k  which  are  congruent  to  1  or  3  modulo  8.  Set  0  <—  '}2X£ex<7x1’ 

r  <—  N  mod  2k,  a  <—  Yhx eE  \^k  J  <7^1'  an<^  comPute  si  ^{<})e  mod  N, 

S2  <—  s[N/p  mod  N,  and  finally  S(2,q)  =  S2  Jz{<l)aJ2{<l)6N,  where  8n  =  0 
if  r  e  E  (i.e.  if  N  if  congruent  to  1  or  3  modulo  8),  8n  =  1  otherwise. 

If  there  does  not  exist  a  2fc-th  root  of  unity  rj  such  that  5(2,  q)  =  77 
(mod  N),  then  N  is  composite  and  terminate  the  algorithm.  If  77  exists  and 
is  a  primitive  2fc-th  root  of  unity,  and  if  in  addition  g^-1)/2  =  —1  (mod  N), 
set  I2  *—  1. 

4c. [Check  (*@)  for  p  =  2  and  k  =  2]  Set  si  «—  J(2,q)2  •  q  mod  N,  S2  *— 
s^4-*  mod  AT,  and  finally  5(2,  q)  *—  S2  if  N  =  1  (mod  4),  5(2,  q)  *— 
S2  J(2,  q)2  if  iV  =  3  (mod  4). 

If  there  does  not  exist  a  fourth  root  of  unity  q  such  that  5(2,  q)  =  rj 
(mod  N ),  then  N  is  composite  and  terminate  the  algorithm.  If  77  exists  and  is 
a  primitive  fourth  root  of  unity  (i.e.  rj  =  ±i),  and  if  in  addition  q(N~^/2  =  —  1 
(mod  N),  set  I2  <—  1. 

4d. [Check  (*Jg)  for  p  =  2  and  k  =  1]  Compute  S(2,q)  <—  (—  qf)(JV-1)/2  mod  N. 
If  5(2,  q)  ^  ±1  (mod  N),  then  N  is  composite  and  terminate  the  algorithm. 
If  5(2,qf)  =  —1  (mod  N)  and  N  =  1  (mod  4),  set  I2  <—  1. 

5.  [Check  conditions  £p]  For  every  p  \  t  such  that  lp  =  0,  do  as  follows.  Choose 
random  primes  q  such  that  q  f  e(t),  q  =  1  (mod  p),  ( q,N )  =  1,  execute  step 
4a,  4b,  4c,  4d  according  to  the  value  of  the  pair  (p,  q).  To  do  this,  we  will 
have  to  compute  a  number  of  new  Jacobi  sums,  since  these  will  not  have  been 
precomputed,  and  we  do  this  as  explained  in  the  precomputation  algorithm. 

If  after  a  reasonable  number  of  attempts,  some  lp  is  still  equal  to  0,  then 
output  a  message  saying  that  the  test  has  failed  (this  is  highly  improbable). 

6.  For  i  =  l,...,f  —  1,  compute  (by  induction  of  course,  not  by  the  binary 
powering  algorithm)  ri  <—  Nl  mod  e(t).  If  for  some  i,  ri  is  a  non-trivial  divisor 
of  N,  then  N  is  composite  and  terminate  the  algorithm.  Otherwise  (i.e.  if  for 
every  i  either  f  N  or  =  1  or  =  N),  output  the  message  that  N  is  prime 
and  terminate  the  algorithm. 


9.1.7  Discussion 

The  above  algorithm  works  already  quite  well  both  in  theory  and  in  practice. 
Pomerance  and  Odlyzko  have  shown  that  the  running  time  of  the  Jacobi  sum 
algorithm  is 

0((lniV)cln,nln7V) 

for  some  constant  C.  Hence  this  is  almost  (but  not  quite)  a  polynomial  time 
algorithm.  Many  improvements  are  however  still  possible. 

For  example,  it  is  not  difficult  to  combine  the  Jacobi  sum  test  with  the 
information  gained  from  the  Pocklington  N  —  1  and  N  +  1  tests  (Proposition 
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8.3.1).  One  can  go  even  further  and  combine  the  test  with  the  so-called  Galois 
theory  test.  This  has  been  done  by  Bosma  and  van  der  Hulst  (see  [Bos-Hul]). 

Note  also  that  the  part  of  the  algorithm  which  is  the  most  time-critical 

is  the  computation  of  S2  s^p  ^ .  To  do  this,  we  of  course  use  the  fastest 
powering  algorithms  possible,  in  practice  the  2fc-left  to  right  Algorithm  1.2.4. 
But  we  must  also  do  multiplications  in  the  rings  Z[Cpk]  which  is  of  dimension 
n  =  <p{pk)  =  (p  —  1  )pk~l  over  Z.  A  priori  such  a  multiplication  would  require 
n2  multiplications  in  Z.  Using  the  same  tricks  as  explained  in  Section  3.1.2, 
it  is  possible  to  substantially  decrease  the  number  of  necessary  multiplica¬ 
tions.  Furthermore,  special  squaring  routines  must  also  be  written.  All  this  is 
explained  in  complete  detail  in  [Coh-Len2]  and  [Coh-Len3]. 

Another  important  improvement  uses  an  algorithm  due  to  H.  W.  Lenstra 
(see  [Len2])  for  finding  in  polynomial  time  factors  of  N  which  are  in  a  given 
residue  class  modulo  s  when  s  >  TV1/3.  This  can  be  applied  here,  and  allows 
us  to  replace  the  condition  e2(t)  >  B  of  the  precomputations  by  e3(£)  >  B. 
This  gives  a  substantial  saving  in  time  since  one  can  choose  a  much  smaller 
value  of  t.  We  give  the  algorithm  here,  and  refer  to  [Len2]  for  its  proof. 

Algorithm  9.1.29  (Divisors  in  Residue  Classes).  Let  r,  s,  N  be  integers 
such  that  0  <  r  <  s  <  N,  (r,  s)  =  1  and  s  >  \/N.  This  algorithm  determines  all 
the  divisors  d  of  N  such  that  d  =  r  (mod  s ). 

1.  [Initialization]  Using  Euclid's  extended  Algorithm  1.3.6  compute  u  and  v  such 
that  ur  +  vs  =  1.  Set  r'  *—  uN  mod  s  (hence  0  <  r'  <  s),  ao  <—  s,  bo  <—  0, 
Co  < —  0,  <2i  < —  ur'  mod  s,  bi  <—  1,  ci  «—  u(N  —  rr')/s  mod  s  and  j  <—  1. 
Finally,  if  a\  —  0  set  ai  =  s  (so  0  <  ai  <  s). 

2.  [Compute  c]  If  j  is  even  let  c  <—  Cj.  Otherwise,  let  c  •*—  Cj  +s[(N  +  s2(a,jbj  — 
Cj))/s3\  and  if  c  <  2a,jbj  go  to  step  6. 

3.  [Solve  quadratic  equation]  If  ( cs  +  ajr  +  bjr')2  —  4 ajbjN  is  not  the  square  of 
an  integer,  go  to  step  5.  Otherwise,  let  t\  and  1 2  be  the  two  (integral)  solutions 
of  the  quadratic  equation  T 2  —  (cs  -I-  ajr  +  bjr')T  +  ajbjN  =  0. 

4.  [Divisor  found?]  If  ctj  \  t\,  bj  |  £2.  ti/aj  =  r  (mod  s)  and  t^jbj  =  r'  (mod  s), 
then  output  ti/aj  as  a  divisor  of  N  congruent  to  r  modulo  s. 

5.  [Other  value  of  c]  If  j  is  even  and  c  >  0,  set  c  *—  c  —  s  and  go  to  step  3. 

6.  [Next  j]  If  aj  =  0,  terminate  the  algorithm.  Otherwise,  set  j  <—  j  +  1,  and 

Qj  <—  [ aj-2/a>j-i\  if  j  is  even,  qj  <—  L(<U-2  ~  l)AU-iJ  i f  j  is  odd.  Finally, 
set  flj  ^  a  j — 2  — 1,  bj  ^  bj — 2  1  *  Cy  ^  Cj — 2  — —  qjCj — 1  and  go  to 

step  2. 

Remarks. 

(1)  [Len2]  also  shows  that  under  the  conditions  of  this  algorithm,  there  exist 
at  most  11  divisors  of  N  congruent  to  r  modulo  s. 

(2)  In  step  4,  t^jbj  is  a  divisor  of  N  congruent  to  r'  modulo  s.  Since  in  the  case 
of  the  Jacobi  sum  test  r  —  Nl  mod  s  and  so  r'  —  iV1-t  mod  s,  Lenstra’s 
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algorithm  allows  us  to  test  simultaneously  two  residue  classes  modulo  s, 
reducing  the  time  spent  in  step  6  of  Algorithm  9.1.28. 


9.2  The  Elliptic  Curve  Test 

We  now  come  to  the  other  modern  primality  test,  based  on  the  use  of  elliptic 
curves  over  finite  fields.  Here,  instead  of  looking  for  suitably  strong  gener¬ 
alizations  of  Fermat’s  theorem  in  cyclotomic  fields,  or  equivalently  instead 
of  implicitly  using  the  multiplicative  group  of  Fjv<*  ,  we  will  use  the  group  of 
points  of  elliptic  curves  over  F n  itself. 

Now  recall  that  when  we  start  using  a  primality  test,  we  are  already 
morally  certain  that  our  number  N  is  prime,  since  it  has  passed  the  Rabin- 
Miller  pseudo-primality  test.  Hence,  we  can  work  as  if  N  was  prime,  for  ex¬ 
ample  by  assuming  that  any  non-zero  element  modulo  N  is  invertible.  In  the 
unlikely  event  that  some  non-zero  non-invertible  element  appears,  we  can  im¬ 
mediately  stop  the  algorithm  since  we  know  not  only  that  N  is  composite,  but 
even  an  explicit  prime  factor  by  taking  a  GCD  with  N. 

We  will  consider  an  “elliptic  curve  over  Z/NZ" .  What  this  means  is  that 
we  consider  a  Weierstrafi  equation 

y2  =  x3  +  ax  +  b ,  a,  6  e  Z/NZ ,  (4a3  +  27 b2)  e  ( Z/NZ )* . 

(It  is  not  necessary  to  consider  a  completely  general  Weierstrafi  equation  since 
we  may  of  course  assume  that  (IV,  6)  =  1.) 

We  then  add  points  on  this  curve  as  if  N  was  prime.  Since  the  group 
law  involves  only  addition/subtraction/multiplication/division  in  Z/iVZ,  the 
only  phenomenon  which  may  happen  if  N  is  not  prime  is  that  some  division 
is  impossible,  and  in  that  case  as  already  mentioned,  we  know  that  N  is 
composite  and  we  stop  whatever  algorithm  we  are  executing. 

Hence,  from  now  on,  we  implicitly  assume  that  all  operations  take  place 
without  any  problems. 


9.2.1  The  Goldwasser-Kilian  Test 

The  basic  proposition  which  will  enable  us  to  prove  that  N  is  prime  is  the 
following  analog  of  Pocklington’s  Theorem  8.3.1. 

Proposition  9.2.1.  Let  N  be  an  integer  coprime  to  6  and  different  from  1. 
and  E  be  an  elliptic  curve  modulo  N. 

Assume  that  we  know  an  integer  m  and  a  point  P  G  E{Z/NZ)  satisfying 
the  following  conditions. 

(1)  There  exists  a  prime  divisor  q  of  m  such  that 
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q  >(VN  +  1)2. 


(2)  m  -  P  =  Oe  =  (0:1:0). 

(3)  ( m/q )  •  P  =  (x  :  y  :  t)  with  t  G  (Z/NZ)* . 

Then  N  is  prime.  (As  above ,  it  is  assumed  that  all  the  computations  are 
possible.) 

Proof.  Let  p  be  a  prime  divisor  of  N.  By  reduction  modulo  p,  we  know  that 
in  the  group  E(Z/pZ),  the  image  of  P  has  order  a  divisor  of  m,  but  not  a 
divisor  of  m/q  since  t  G  ( Z/iVZ )*.  Since  q  is  a  prime,  this  means  that  q  divides 
the  order  of  the  image  of  P  in  E(Z/pZ),  and  in  particular  q  <  \E(Z/pZ)\.  By 
Hasse’s  Theorem  7.1.8,  we  thus  have 

Q  <  ( VP  +  l)2- 

Assume  that  N  was  not  prime.  We  can  then  choose  for  p  the  smallest 
prime  divisor  of  N  which  will  be  less  than  or  equal  to  y/N.  Hence  we  obtain 
q  <  (\/N  + 1)2,  contradicting  the  hypothesis  on  the  size  of  q  and  thus  proving 
the  proposition.  □ 

For  this  proposition  to  be  of  any  use,  we  must  explain  three  things.  First, 
how  one  chooses  the  elliptic  curve,  second  how  one  finds  P,  and  finally  how 
one  chooses  m.  Recall  that  for  all  these  tasks,  we  may  as  well  assume  that  N  is 
prime,  since  this  only  helps  us  in  making  a  choice.  Only  the  above  proposition 
will  give  us  a  proof  that  N  is  prime. 

The  only  non-trivial  choice  is  that  of  the  integer  m.  First,  we  have: 

Proposition  9.2.2.  Let  N  be  a  prime  coprime  to  6,  E  an  elliptic  curve 
modulo  N  and  let 

m=  \E{Z/NZ)\. 

If  m  has  a  prime  divisor  q  satisfying 

q  >  (VN  +  l)2, 

then  there  exists  a  point  P  G  E(Z/NZ)  such  that 

m  ■  P  =  Oe  and  (m/q)  •  P  =  (x  :  y  :  t)  with  t  G  ( Z/NZ )* . 


Proof.  First  note  that  any  point  P  will  satisfy  m  •  P  =  Oe-  Second,  since 
N  is  assumed  here  to  be  prime,  t  G  (Z/NZ)*  means  t  ^  0  hence  the  second 
condition  is  (m/q)  ■  P  ^  Os- 

Set  G  =  E(Z/NZ)  and  assume  by  contradiction  that  for  every  P  G  G  we 
have  (m/q)  ■  P  =  Oe-  This  means  that  the  order  of  any  P  is  a  divisor  of  m/q, 
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hence  that  the  exponent  of  the  Abelian  group  G  divides  m/q.  (Recall  that  the 
exponent  of  an  Abelian  group  is  the  LCM  of  the  orders  of  the  elements  of  the 
group.) 

Now,  by  Theorem  7.1.9,  we  know  that  G  is  the  product  of  at  most  two 
cyclic  groups,  i.e.  that 

G  ~  Z/diZ  x  Z/cfoZ  with  efe  |  d\ 

(and  c?2  —  1  if  G  is  cyclic).  Hence  the  exponent  of  G  is  equal  to  di,  while  the 
cardinality  of  G  is  equal  to  dic^  <  d\.  Thus  we  obtain 

m  —  \G\  <  d\  <  (m/q)2 , 

hence  q2  <  m.  Using  our  hypothesis  on  the  size  of  q  and  Hasse’s  bound  7.1.8 
on  m,  we  obtain 

(  Vn  +  i )2  <  VN  +  1, 

and  this  is  clearly  a  contradiction,  thus  proving  the  proposition.  □ 


We  now  know  that  Proposition  9.2.1  can  in  principle  be  applied  to  prove 
the  primality  of  IV,  by  choosing  m  =  \E(Z/N7j)\,  where  this  cardinality  is 
computed  as  if  AT  was  prime.  But  that  is  precisely  the  main  question:  how 
is  this  computed?  We  could  of  course  use  the  baby-step  giant-step  Algorithm 
7.4.12,  but  this  is  a  0(N1^4)  algorithm,  hence  totally  unsuitable. 

The  idea  of  Goldwasser  and  Kilian  ([Gol-Kil])  is  to  make  use  of  the  remark¬ 
able  algorithm  of  Schoof  already  mentioned  in  Section  7.4.3  ([Scho]),  which 
computes  m  =  |£'(Z/iVZ)|  in  time  0(ln8iV).  Of  course,  this  algorithm  may 
fail  since  it  is  not  absolutely  certain  that  N  is  prime,  but  if  it  fails,  we  will 
know  that  N  is  composite. 

Once  m  has  been  computed,  we  trial  divide  m  by  small  primes,  hoping  that 
the  unfactored  part  will  be  a  large  strong  pseudo-prime.  In  fact,  Goldwasser 
and  Kilian’s  aim  was  purely  theoretical,  and  in  that  case  one  looks  for  m 
equal  to  twice  a  strong  pseudo-prime.  If  this  is  the  case,  and  q  is  the  large 
pseudo-prime  that  remains  (large  meaning  larger  than  (VN  +  l)2  of  course), 
we  temporarily  assume  that  q  is  prime,  and  look  at  random  for  a  point  P  so 
as  to  satisfy  the  hypothesis  of  Proposition  9.2.1.  This  will  be  possible  (and  in 
fact  quite  easy)  by  Proposition  9.2.2. 

If  such  a  P  is  found,  there  remains  the  task  of  proving  that  our  strong 
pseudo-prime  q  is  prime.  For  this,  we  apply  the  algorithm  recursively.  Indeed, 
since  q  <  m/2  <  (N+2y/N +l)/2,  the  size  of  N  will  decrease  by  a  factor  which 
is  at  least  approximately  equal  to  2  at  each  iteration,  hence  the  number  of 
recursive  uses  of  the  algorithm  will  be  0(ln  N).  We  stop  using  this  algorithm  as 
soon  as  N  becomes  small  enough  so  that  other  algorithms  (even  trial  division!) 
may  be  used. 

The  algorithm  may  be  formally  stated  as  follows. 
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Algorithm  9.2.3  (Goldwasser-Kilian).  Let  N  be  a  positive  integer  different 

from  1  and  coprime  to  6.  This  algorithm  will  try  to  prove  that  N  is  prime.  If  N 

is  not  a  prime,  the  algorithm  may  detect  it,  or  it  may  run  indefinitely  (hence  we 

must  absolutely  use  the  Rabin-M iller  test  before  entering  this  algorithm). 

1.  [Initialize]  Set  i  <—  0  and  Ni  <—  N. 

2.  [Is  Ni  small?]  If  Ni  <  230,  trial  divide  Ni  by  the  primes  up  to  215.  If  Ni  is  not 
prime  go  to  step  9. 

3.  [Choose  a  random  curve]  Choose  a  and  b  at  random  in  Z/NiZ,  and  check  that 
4a3  +  27 b2  £  (1 Z/NiZ)* .  Let  E  be  the  elliptic  curve  whose  affine  WeierstraB 
equation  is  y2  —  x3  +  ax  +  6. 

4.  [UseSchoof]  Using  Schoof's  algorithm,  compute  m  \E(Z/NiZ)\.  If  Schoof's 
algorithm  fails  go  to  step  9. 

5.  [Is  m  OK?]  Check  whether  m  =  2q  where  q  passes  the  Rabin-Miller  test  8.2.2 
(or  more  generally,  trial  divide  m  up  to  a  small  bound,  and  check  that  the 
remaining  factor  q  passes  the  Rabin-Miller  test  and  is  larger  than  (j/Ni  +  l)2). 
If  this  is  not  the  case,  go  to  step  3. 

6.  [Find  P]  Choose  at  random  x  £  Z/NiZ  until  the  Legend  re- Jacobi  symbol 

js  equal  to  0  or  1  (this  will  occur  after  a  few  trials  at  most).  Then 
using  Algorithm  1.5.1,  compute  y  £  Z/NiZ  such  that  y2  =  x3  +  ax  +  b  (again, 
if  this  algorithm  fails,  go  to  step  9). 

7.  [Check  P]  Compute  Pi  <—  m  ■  P  and  P2  <—  ( m/q )  ■  P.  If  during  the  com¬ 
putations  some  division  was  impossible,  go  to  step  9.  Otherwise,  check  that 
Pi  =  Oe,  i.e.  that  Pi  =  (0  :  1  :  0)  in  projective  coordinates.  If  Pi  ^  Oe,  go 
to  step  9.  Finally,  if  P2  =  Oe,  go  to  step  6. 

8.  [Recurse]  Set  i  *—  i  +  1,  Ni  *—  q  and  go  to  step  2. 

9.  [Backtrack]  (We  are  here  when  Ni  is  not  prime,  which  is  a  very  unlikely  occur¬ 
rence.)  If  i  =  0,  output  a  message  saying  that  N  is  composite  and  terminate 
the  algorithm.  Otherwise,  set  i  <—  i  —  1  and  go  to  step  3. 


Some  remarks  are  in  order.  As  stated  in  the  algorithm,  if  N  is  not  prime, 
the  algorithm  may  run  indefinitely  and  so  should  perhaps  not  be  called  an 
“algorithm”  in  our  sense.  Note  however  that  it  will  never  give  a  false  answer. 
But  even  if  N  is  prime,  the  algorithm  is  probabilistic  in  nature  since  we  need 
to  find  an  elliptic  curve  whose  number  of  points  has  a  special  property,  and 
in  addition  a  certain  point  P  on  that  curve.  It  can  be  shown  that  under 
reasonable  hypotheses  on  the  distribution  of  primes  in  short  intervals,  the 
expected  running  time  of  the  algorithm  is  0(ln12iV),  hence  is  polynomial  in 
lniV.  Therefore  it  is  asymptotically  faster  than  the  Jacobi  sum  test.  Note 
however  that  the  Goldwasser-Kilian  test  is  not  meant  to  be  practical. 

The  sequence  of  primes  No  =  iV,  Ni,  . . .  A^,  . . .  together  with  the  elliptic 
curves  JE1* >  the  points  P*  and  the  cardinality  m*  obtained  in  the  algorithm 
is  called  a  primality  certificate.  The  reason  for  this  is  clear:  although  it  may 
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have  been  difficult  to  find  Ei,  P \  or  m,i,  once  they  are  given,  to  check  that  the 
conditions  of  Proposition  9.2.1  are  satisfied  (with  q  —  Ni+ 1)  is  very  easy,  so 
anybody  can  prove  to  his  or  her  satisfaction  the  primality  of  N  using  much 
less  work  than  executing  the  algorithm.  This  is  quite  different  from  the  Jacobi 
sum  test  where  to  check  that  the  result  given  by  the  algorithm  is  correct, 
there  is  little  that  one  can  do  but  use  a  different  implementation  and  run  the 
algorithm  again. 

To  finish  this  (sub)section,  note  that,  as  stated  in  the  beginning  of  this 
chapter,  an  important  theoretical  advance  has  been  made  by  Adleman  and 
Huang. 

Their  idea  is  to  use,  in  addition  to  elliptic  curves,  Jacobians  of  curves  of 
genus  2,  and  a  similar  algorithm  to  the  one  above.  Although  their  algorithm 
is  also  not  practical,  the  important  point  is  that  they  obtain  a  probabilistic 
primality  testing  algorithm  which  runs  in  polynomial  time,  in  other  words 
they  prove  Theorem  9.1.  Note  that  the  Goldwasser-Kilian  test  is  not  of  this 
kind  since  only  the  expected  running  time  is  polynomial,  but  the  worst  case 
may  not  be. 


9.2.2  Atkin’s  Test 

Using  the  same  basic  idea,  i.e.  Proposition  9.2.1,  Atkin  has  succeeded  in  finding 
a  practical  version  of  the  elliptic  curve  test.  It  involves  a  number  of  new  ideas. 
This  version  has  been  implemented  by  Atkin  and  by  Morain,  and  has  been 
able  to  prove  the  primality  of  titanic  numbers ,  i.e.  numbers  having  more  than 
1000  decimal  digits.  The  Jacobi  sum  test  could  of  course  do  the  same,  but  time 
comparisons  have  not  yet  been  done,  although  it  seems  that  at  least  up  to  800 
digits  the  Jacobi  sum  test  is  slightly  faster.  Of  course,  since  asymptotically 
Atkin’s  test  is  polynomial  while  the  Jacobi  sum  test  is  not,  the  former  must 
win  for  N  sufficiently  large. 

The  main  (if  not  the  sole)  practical  stumbling  block  in  the  algorithm  of 
Goldwasser-Kilian  is  the  computation  of  m  =  \E(Z/NZ)\  using  Schoof’s  algo¬ 
rithm.  Although  progress  has  been  made  in  the  direction  of  making  Schoof’s 
algorithm  practical,  for  example  by  Atkin  and  Elkies,  Atkin  has  found  a  much 
better  idea. 

Instead  of  taking  random  elliptic  curves,  we  choose  instead  elliptic  curves 
with  complex  multiplication  by  an  order  in  a  quadratic  number  field  K  = 
Q(VD)  where  N  splits  as  a  product  of  two  elements.  This  will  enable  us  to 
use  Theorem  7.2.15  which  (if  N  is  prime)  gives  us  immediately  the  cardinality 
of  E(Z/NZ). 

The  test  proceeds  as  follows.  As  always  we  can  work  as  if  N  was  prime. 
We  must  first  find  a  negative  discriminant  D  such  that  N  splits  in  the  order 
of  discriminant  D  as  a  product  of  two  elements.  This  is  achieved  by  using 
Cornacchia’s  Algorithm  1.5.3.  Indeed,  Cornacchia’s  algorithm  gives  us,  if  it 
exists,  a  solution  to  the  equation  x2  +  dy2  —  4 p,  where  d  —  —D,  hence  nn  =  p, 
with 
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x  +  yy/D 
7F_  2 

Once  such  a  D  is  found,  using  Theorem  7.2.15  we  obtain  that,  if  TV  is 
prime, 

m=  \E(Z/NZ)\  =  TV+  I-tt-tt  =  TV  +  l-x 

with  the  above  notations,  if  E  is  an  elliptic  curve  with  complex  multiplication 
by  the  order  of  discriminant  D.  We  now  check  whether  m  satisfies  the  condition 
which  will  enable  us  to  apply  Proposition  9.2.1,  i.e.  that  m  is  not  prime,  but 
its  largest  prime  factor  is  larger  than  ({/TV  +  l)2.  Since  we  are  describing 
a  practical  algorithm,  this  is  done  much  more  seriously  than  in  Goldwasser- 
Kilian’s  test:  we  trial  divide  m  up  to  a  much  higher  bound,  and  then  we  can 
also  use  Pollard  p  and  p  —  1  to  factor  m. 

If  m  is  not  suitable,  we  still  have  at  least  another  chance.  Recall  from 
Section  5.3  that  we  denote  by  w(D)  the  number  of  roots  of  unity  in  the 
quadratic  order  of  discriminant  D,  hence  w(D)=2  if  D  <— 4,  u?(—  4)  =  4 
and  w{—  3)  =  6. 

Then  it  can  be  shown  that  there  exist  exactly  w(D)  isomorphism  classes  of 
elliptic  curves  modulo  TV  with  complex  multiplication  by  the  quadratic  order 
of  discriminant  D.  These  correspond  to  the  factorizations  TV  =  (C7r)(C7r)  where 
£  runs  over  all  w(D)- th  roots  of  unity  (in  particular  £=  +1  if  D  <—  4). 

Hence  we  can  compute  w(D)  different  values  of  m  in  this  way  and  hope 
that  at  least  one  of  them  is  suitable.  If  none  are,  we  go  on  to  another  discrim¬ 
inant. 

Therefore,  let  us  assume  that  we  have  found  a  suitable  value  for  m  corre¬ 
sponding  to  a  certain  discriminant  D.  It  remains  to  find  explicitly  the  equa¬ 
tions  of  elliptic  curves  modulo  TV  with  complex  multiplication  by  the  order  of 
discriminant  D. 

Now  since  TV  splits  in  the  order  of  discriminant  D,  we  have  w(D)  |  TV  —  1 
and  there  exist  ( TV  —  l)/2  values  of  g  €  Z/NZ  ((TV—  l)/3  if  D  =  —3)  such 
that  g(N~iyp  1  for  each  prime  p  \  w(D).  Choose  one  of  these  values  of  g. 

If  D  =  —  4  (resp.  D  =  —  3),  then  the  four  (resp.  six)  isomorphism  classes 
of  elliptic  curves  with  complex  multiplication  by  the  order  of  discriminant  —4 
are  given  by  the  affine  equations 

y2  =  x3  —  gkx  for  0  <  k  <  3 

(resp. 

y2  =  x3  —  gk  for  0  <  k  <  5) . 

If  D  is  not  equal  to  —3  or  —4,  we  set 

c  =  j/(j  —  1728) ,  where  j  =  j 


d  +  Vd 


2 
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is  the  j -invariant  which  corresponds  to  the  order  of  discriminant  D.  Then  the 
two  isomorphism  classes  of  elliptic  curves  with  complex  multiplication  by  the 
order  of  discriminant  D  can  be  given  by  the  affine  equations 

y*  =  x°  —  3 cgZKx  +  2 cg*K  for  k  =  0  or  1 . 

Note  that  j  =  j((D  +  \/D)/ 2)  has  been  defined  in  Section  7.2.1  as  a 
complex  number,  and  not  as  an  element  of  Z/7VZ.  Hence  we  must  make  sense 
of  the  above  definition. 

Recall  that  according  to  Theorem  7.2.14,  j  is  an  algebraic  integer  of  degree 
exactly  equal  to  h(D).  Furthermore,  it  can  easily  be  shown  that  our  hypothesis 
that  N  splits  into  a  product  of  two  elements  is  equivalent  (if  N  is  prime)  to 
the  fact  that  the  minimal  monic  polynomial  T  of  j  in  Z[X]  splits  completely 
modulo  N  as  a  product  of  linear  factors.  Since  the  roots  of  T  in  C  are  the 
conjugates  of  j((D  +  y/D)/ 2),  any  one  will  define  by  the  above  equations  the 
isomorphism  classes  of  elliptic  curves  with  complex  multiplication  by  the  order 
of  discriminant  D,  hence  we  define  j  as  being  any  of  the  h(D)  roots  of  T(X) 
in  Z/iVZ. 

Once  the  elliptic  curve  has  been  found,  the  rest  of  the  algorithm  proceeds 
as  in  the  Goldwasser-Kilian  algorithm,  i.e.  we  must  find  a  point  P  on  the 
curve  satisfying  the  required  properties,  etc  . . . 

There  are,  however,  two  remarks  to  be  made.  First,  we  have  w(D )  elliptic 
curves  modulo  N  at  our  disposal,  but  a  priori  only  one  corresponds  to  a 
suitable  value  of  m,  and  it  is  not  clear  which  one.  For  D  =  —  3  and  D  =  —  4, 
it  is  easy  to  give  a  recipe  that  will  tell  us  which  elliptic  curve  to  choose.  For 
D  <  —  4,  such  a  recipe  is  more  difficult  to  find,  and  we  then  simply  compute 
m  -P  for  our  suitable  m  and  a  random  P  on  one  of  the  two  curves.  If  this  is  not 
equal  to  the  identity,  we  are  on  the  wrong  curve.  If  it  is  equal  to  the  identity, 
this  does  not  prove  that  we  are  on  the  right  curve,  but  if  P  has  really  been 
chosen  randomly,  we  can  probably  still  use  the  curve  to  satisfy  the  hypotheses 
of  Proposition  9.2.1. 

The  second  remark  is  much  more  important.  To  obtain  the  equation  of 
the  curve,  it  is  necessary  to  obtain  the  value  of  j  modulo  N.  This  clearly  is 
more  difficult  if  the  class  number  h(D)  is  large.  Hence,  we  start  by  considering 
discriminants  whose  class  number  is  as  small  as  possible.  So  we  start  by  looking 
at  the  13  quadratic  orders  with  class  number  1,  then  class  number  2,  etc  . . . 

But  now  a  new  difficulty  appears.  The  coefficients  in  the  minimal  poly¬ 
nomial  T  of  j  become  large  when  the  class  number  grows.  Of  course,  they 
will  afterwards  be  reduced  modulo  N,  but  to  compute  them  we  will  need  to 
use  high  precision  computations  of  the  values  of  j(r)  for  every  quadratic  irra¬ 
tional  r  corresponding  to  a  reduced  quadratic  form  of  discriminant  D.  Since 
this  computation  is  independent  of  N,  it  could  be  done  only  once  and  the  re¬ 
sults  stored,  but  the  coefficients  are  so  large  that  even  for  a  moderately  sized 
table  we  would  need  an  enormous  amount  of  storage. 
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Several  methods  are  available  to  avoid  this.  First,  one  can  use  the  notion 
of  genus  field  to  reduce  the  computations  to  a  combination  of  relative  com¬ 
putations  of  smaller  degree.  Second,  we  can  use  Weber  functions ,  which  are 
meromorphic  functions  closely  related  to  the  function  j(r)  and  which  have 
analogous  arithmetic  properties.  In  the  best  cases,  these  functions  reduce  the 
number  of  digits  of  the  coefficients  of  the  minimal  polynomial  T  by  a  factor 
24  (see  Section  7.6.3). 

All  these  tricks  and  many  more,  and  the  detailed  implementation  proce¬ 
dures,  are  described  completely  in  [Atk-Mor]  and  in  Morain’s  thesis  [Mor2]. 
Here,  we  will  simply  give  a  formal  presentation  of  Atkin’s  algorithm  without 
any  attempt  at  efficiency. 

Algorithm  9.2.4  (Atkin).  Given  an  integer  N  coprime  to  6  and  different  from 
1,  this  algorithm  tries  to  prove  that  N  is  prime.  It  is  assumed  that  N  is  already 
known  to  be  a  strong  pseudo-prime  in  the  sense  of  the  Rabin-Miller  test  8.2.2. 
We  assume  that  we  have  a  list  of  negative  discriminants  Dn  ( n  >  1)  ordered 
by  increasing  computational  complexity  (for  example  as  a  first  approximation  by 
increasing  class  number). 

1.  [Initialize]  Set  *  <—  0,  n  <—  0  and  Ni  <—  N. 

2.  [Is  Ni  small?]  If  Ni  <  230,  trial  divide  Ni  by  the  primes  up  to  215.  If  Ni  is 
not  prime  go  to  step  14. 

3.  [Choose  next  discriminant]  Let  n  <—  n  + 1  and  D  <—  Dn.  If  (^)  7^  1,  go  to 
step  3.  Otherwise,  use  Cornacchia's  Algorithm  1.5.3  to  find  a  solution,  if  it 
exists,  of  the  equation  x 2  +  |D|y2  =  41V.  If  no  solution  exists,  go  to  step  3. 

4.  [Factor  m]For  m  =  N  +  1  +  x,  m  =  N  +  1  —  x  (and  in  addition  for 
m  =  N  +  1  +  2y,  m  —N  +1  —  2 y  if  D  =— 4,  or  m  =  N+  l  +  (x  +  3y)/2, 
m  =  N  +  l  —  (x  +  3y)/2,  m  =  N  +  l  +  (x  —  Sy)/2,  m  =  N  +  l  —  (x  —  3y ) /2  if 
D  =  —3),  factor  m  using  trial  division  (up  to  1000000,  say),  then  Pollard  p 
and  p  —  1.  It  is  worthwhile  to  spend  some  time  factoring  m  here. 

5.  [Does  a  suitable  m  exist?]  If,  using  the  preceding  step,  for  at  least  one  value 
of  m  we  can  find  a  q  dividing  m  which  passes  the  Rabin-Miller  test  8.2.2  and 
is  larger  than  ( \/Nl  + 1)2,  then  go  to  step  6,  otherwise  go  to  step  3. 

6.  [Compute  elliptic  curve]  If  D  =  —4,  set  a  < - 1  and  b  0.  If  D  =  —3, 

set  a  <—  0,  b  < - 1.  Otherwise,  using  Algorithm  7.6.1,  compute  the  minimal 

polynomial  T  £  Z[X]  of  j((D+  y/D)/2).  Then  reduce  T  modulo  Ni  and  let 
j  be  one  of  the  roots  of  T  =  T  mod  Ni  obtained  by  using  Algorithm  1.6.1 
(note  that  we  know  that  T  \  XNi  —  X  so  the  computation  of  A(X)  in  step 
1  of  that  algorithm  is  not  necessary,  we  can  simply  set  A  T).  Then  set 
c «—  j/(j  —  1728)  mod  Ni,  a  * - 3c  mod  Ni,  b  *—  2c  mod  Ni. 

7.  [Find  g\  By  making  several  random  choices  of  g,  find  g  such  that  g  is  a 

quadratic  non-residue  modulo  Ni  and  in  addition  if  D  —  —3,  ^  1 

(mod  Ni). 
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8.  [Find  P]  Choose  at  random  x  G  Z/iVjZ  until  the  Legend  re- Jacobi  symbol 
(x_jho£+6)  j$  equa|  to  0  or  1  (this  will  occur  after  a  few  trials  at  most).  Then 
using  Algorithm  1.5.1,  compute  y  €  h/NiL  such  that  y2  =  x3  +  ax  +  b.  (If 
this  algorithm  fails,  go  to  step  14,  but  see  also  Exercise  6.)  Finally,  set  A;  <—  0. 

9.  [Find  right  curve]  Compute  P2  <—  ( m/q )  •  P  and  Pi  <—  q  •  P2  on  the  curve 
whose  affine  equation  is  y2  =  x3  +  ax  +  6.  If  during  the  computations  some 
division  was  impossible,  go  to  step  14.  If  Pi  =  (0  :  1  :  0)  go  to  step  12. 

10.  Set  k  <—  k  +  1.  If  k  >  w(D)  go  to  step  14,  else  if  D  <  —4  set  a  <—  ag2, 
b  <—  bg3,  if  D  =  —4  set  a  <—  ag,  if  D  =  —3  set  6  <—  bg  and  go  to  step  8. 

11.  [Find  a  new  P]  Choose  at  random  x  e  IL/NiL  until  the  Legendre-Jacobi 
symbol  (x~+^x+b)  is  equal  to  0  or  1  (this  will  occur  after  a  few  trials  at  most). 
Then  using  Algorithm  1.5.1,  compute  y  €  Z/iViZ  such  that  y2  =  x3  +  ax  +  b 
(if  this  algorithm  fails,  go  to  step  14).  If  Pi  ^  (0  :  1  :  0)  go  to  step  10. 

12.  [Check  P]  If  P2  =  Oe,  go  to  step  11. 

13.  [Recurse]  Set  i  <—  i  + 1,  JV*  <—  q  and  go  to  step  2. 

14.  [Backtrack]  (We  are  here  when  Ni  is  not  prime,  which  is  unlikely.)  If  i  =  0, 
output  a  message  saying  that  N  is  composite  and  terminate  the  algorithm. 
Otherwise,  set  i  <—  i  —  1  and  go  to  step  3. 


Most  remarks  that  we  have  made  about  the  Goldwasser-Kilian  algorithm 
are  still  valid  here.  In  particular,  this  algorithm  is  probabilistic,  but  its  ex¬ 
pected  running  time  is  polynomial  in  In  TV.  More  important,  it  is  practical, 
and  as  already  mentioned,  it  has  been  used  to  prove  the  primality  of  numbers 
having  more  than  1000  decimal  digits,  by  using  weeks  of  workstation  time. 

Also,  as  for  the  Goldwasser-Kilian  test,  it  gives  a  certificate  of  primality 
for  the  number  N,  hence  the  primality  of  N  can  be  re-checked  much  faster. 


9.3  Exercises  for  Chapter  9 


1.  a)  Let  p  be  a  prime,  E  the  set  of  integers  x  such  that  1  <  x  <  pk  and  p  \  x, 
and  a  an  integer  such  that  p  \  a.  By  computing  the  product  of  ax  for  x  €  E  in 
two  different  ways,  show  that  we  have 


E 

x£E 


xa 

pk 


-I  _ 

x  =  a 


afr-ifr*-1  -  1 

pk 


(mod  pK). 


b)  Generalize  this  result,  replacing  pk  by  an  arbitrary  integer  m  and  the 
condition  p  \  a  by  (a,  m)  =1. 

2.  Show  that  if  p  is  an  odd  prime  and  p  \  a,  we  have 


a(p-i)pfc  1  _  1  ap- 1  _  x 


P 


(mod  p) . 


476 


9  Modern  Primality  Tests 


3.  Prove  Lemma  9.1.24  without  explicitly  using  the  Hasse-Davenport  relations. 


4.  (Wolstenholme’s  theorem) 


a)  Let  p  be  a  prime,  and  set 


l<x<p— 1 

where  Ap  and  Bp  are  coprime  integers.  By  first  adding  together  the  terms  for  x 
and  for  p  —  x,  show  that  p2  \  Ap  (note  that  p  |  Ap  is  immediate). 

b)  As  in  Exercise  1,  generalize  to  arbitrary  integers  m,  replacing  X/i<x<p-i 


by 


<x<m,(x,m)  =  l  * 


5.  Let  a  €  Z  and  assume  that  a^-1^2  =  —1  (mod  N). 

a)  Show  that  for  every  r  |  N  we  have  V2(r  —  1)  >  V2 (N  —  1). 

b)  Show  that  equality  holds  if  and  only  if  (-)  =  —  1,  and  in  particular  that 

(*)=-!•  _ 

c)  If  N  =  1  (mod  4)  show  that  condition  £2  is  satisfied. 

d)  If  N  =  3  (mod  8)  and  a  =  2  show  that  condition  £2  is  satisfied. 

6.  Show  how  to  avoid  the  search  in  step  8  of  Algorithm  9.2.4  by  setting  d  <— 
x3  +  ax +  b  for  some  x  and  modifying  the  equation  of  the  curve  as  in  step  3  of 
Algorithm  7.4.12. 

7.  Let  x  be  a  character  modulo  q,  where  q  is  not  necessarily  prime.  We  will  say  that 
X  is  primitive  if  for  all  divisors  d  of  q  such  that  d  <  q,  there  exists  an  x  such  that 
a:  =  1  (mod  d)  and  x(z)^0andl.  Set  C=e2l7r/<?,  and  ip(a)  =  52xe(z/qZ).  x(z)C°x- 

a)  Let  a  be  such  that  d  =  (a,  q)  =  1.  Show  that  ip(a)  =  x(o)t(x)- 

b)  Assume  that  x  is  a  primitive  character  and  that  d  =  (a,  q)  >  1.  Show  that 
there  exists  a  u  €  (Z/gZ)*  such  that  au  =  d.  Deduce  from  this  that  tp(a)  =  0, 
and  hence  that  the  formula  ip(a)  =  x(a)r(x)  is  still  valid. 

c)  Show  that  if  x  is  a  primitive  character  modulo  q  which  is  not  necessarily 
a  prime,  we  still  have  \r(x)\=\/q- 

8.  Let  x  be  a  primitive  character  modulo  q  >  1,  as  defined  in  the  preceding 
exercise,  and  set  S(x)  =  J2n<x  x(n)- 

a)  Using  the  preceding  exercise,  give  an  explicit  formula  for  r(x)S(x). 

b)  Deduce  that 


vW(*)i  <  £  --W 


'  sin 

l<m<q ,  m^q/2  ** 


c)  Show  finally  the  Polya— Vinogradov  inequality 


|S(*)| 


=  V  vfnl  <  ,/ol< 


XW  S 


1  1  <  71  <  X 


Chapter  10 

Modern  Factoring  Methods 


The  aim  of  this  chapter  is  to  give  an  overview  of  the  fastest  factoring  methods 
known  today.  This  could  be  the  object  of  a  book  in  itself,  hence  it  is  unrea¬ 
sonable  to  be  as  detailed  here  as  we  have  been  in  the  preceding  chapters.  In 
particular,  most  methods  will  not  be  written  down  as  formal  algorithms  as  we 
have  done  before.  We  hope  however  that  we  will  have  given  sufficient  informa¬ 
tion  so  that  the  reader  may  understand  the  methods  and  be  able  to  implement 
them,  at  least  in  unoptimized  form.  The  reader  who  wants  to  implement  these 
methods  in  a  more  optimized  form  is  urged  to  read  the  abundant  literature 
after  reading  this  chapter,  before  doing  so. 


10.1  The  Continued  Fraction  Method 

We  will  start  this  survey  of  modern  factoring  methods  by  the  continued  frac¬ 
tion  factoring  algorithm  (CFRAC).  Although  superseded  by  better  methods, 
it  is  important  for  two  reasons.  First,  because  it  was  historically  the  first  algo¬ 
rithm  which  is  asymptotically  of  sub-exponential  running  time  (although  this 
is  only  a  heuristic  estimate  and  was  only  realized  later),  and  also  because  in  the 
late  60’s  and  70’s  it  was  the  main  factoring  method  in  use.  The  second  reason 
is  that  it  shares  a  number  of  properties  with  more  recent  factoring  methods: 
it  finds  a  large  number  of  congruences  modulo  N,  and  the  last  step  consists 
in  Gaussian  elimination  over  the  field  Z/2Z.  Since  the  ideas  underlying  it  are 
fairly  simple,  it  is  also  a  natural  beginning. 

The  main  idea  of  CFRAC,  as  well  as  the  quadratic  sieve  algorithm  (Section 
10.4)  or  the  number  field  sieve  (Section  10.5),  is  to  find  integers  x  and  y  such 
that 

x2  =  y2  (mod  AT),  x  ^  ±y  (mod  N). 

Since  x2  —  y2  =  {x  —  y){x  +  y) ,  it  is  clear  that  the  gcd (N,x  +  y)  will  be  a 
non-trivial  factor  of  N. 

Now  finding  randomly  such  integers  x  and  y  is  a  hopeless  task.  The  trick, 
common  to  the  three  factoring  methods  mentioned  above,  is  to  find  instead 
congruences  of  the  form 


(modiV) 
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where  the  pi  are  “small”  prime  numbers.  If  we  find  sufficiently  many  such  con¬ 
gruences,  by  Gaussian  elimination  over  Z/2Z  we  may  hope  to  find  a  relation 
of  the  form 

^  ^  (cofc  j  *  ’  ’  )  &mk )  —  (0 >  * )  0)  (mod  2) 

l<fc<n 

where  =  0  or  1,  and  then  if 

X=  II  Xfcfe’  y  =  (~1)V0PV\ 

1  <k<n 

where  ek(eok,  •  •  • ,  emk)  =  2(u0,  •  •  • ,  vm ),  it  is  clear  that  we  have  x 2  =  y 2 

(mod  TV).  This  splits  TV  if,  in  addition  x  ^  ±y  (mod  TV),  condition  which  will 
usually  be  satisfied. 

The  set  of  primes  pi  (for  1  <  i  <  m)  which  are  chosen  to  find  the  congru¬ 
ences  is  called  the  factor  base.  We  will  see  in  each  of  the  factoring  methods 
how  to  choose  it  in  an  optimal  manner.  These  methods  differ  mainly  in  the 
way  they  generate  the  congruences. 

The  CFRAC  method,  stemming  from  ideas  of  Legendre,  Kraitchik,  Lehmer 
and  Powers,  and  developed  for  computer  use  by  Brillhart  and  Morrison  ([Bri- 
Mor]),  consists  in  trying  to  find  small  values  of  t  such  that  x2  =  t  (mod  TV) 
has  a  solution.  In  that  case,  since  t  is  small,  it  has  a  reasonably  good  chance 
of  being  a  product  of  the  primes  of  our  factor  base,  thus  giving  one  of  the 
sought  for  congruences. 

Now  if  t  is  small  and  x2  =  t  (mod  TV),  we  can  write  x2  =  t  +  kd2N  for  some 
k  and  d,  hence  ( x/d )2  —  kN  =  t/d2  will  be  small.  In  other  words,  the  rational 
number  x/d  is  a  good  approximation  to  the  quadratic  number  y/kN.  Now  it 
is  well  known  (and  easy,  see  [H-W])  that  continued  fraction  expansions  of  real 
numbers  give  good  (and  in  a  certain  sense  the  best)  rational  approximations. 
This  is  the  basic  idea  behind  CFRAC.  We  compute  the  continued  fraction 
expansion  of  V«TV  for  a  number  of  values  of  k.  This  gives  us  good  rational 
approximations  P/Q ,  say,  and  we  then  try  to  factor  the  corresponding  integer 
t  =  P2—  Q2kN  (which  will  be  not  too  large)  on  our  factor  base.  If  we  succeed, 
we  will  have  a  new  congruence. 

Now  from  Section  5.7,  we  know  that  it  is  easy  to  compute  the  continued 
fraction  expansion  of  a  quadratic  number,  using  no  real  approximations,  but 
only  rather  simple  integer  arithmetic.  Note  that  although  we  know  that  the 
expansion  will  be  ultimately  periodic  (in  fact  periodic  after  one  term  in  the 
case  of  V kN) ,  this  is  completely  irrelevant  for  us  since,  except  for  very  special 
numbers,  we  will  never  compute  the  expansion  on  a  whole  period  or  even  a 
half  period.  The  main  point  which  I  stress  again  is  that  the  expansion  can  be 
computed  simply ,  in  contrast  with  more  general  numbers. 

The  formulas  of  Sections  5.6  and  5.7,  adapted  to  our  situation,  are  as 
follows.  Let  r  =  (-U  +  y/D)/2V  be  a  quadratic  number  in  the  interval  [0, 1[ 
with  4F  |  U2—D  and  V  >  0  (hence  \U\  <  VD).  We  have 
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_  2 V{U  +  VD)  U  +  VD 
,T~  D-U2  2V' 

where  V'  =  (D  —  U2)/{4V)  is  a  positive  integer.  Hence,  if  we  set 


1 

u  +  Vd 

_T_ 

2V' 

then  _ 

-U+\fD  _  1  _  1 

2V  ~  -Uf+  y/D  ~  a  +  t' 

a  H - 

2V' 

with  U'  =  U  —  2aVf.  Clearly  r'  €  [0, 1[,  and  since  4V V'  =  D—U2  =  D  —  U /2 
(mod  4V')  the  conditions  on  (U,  V)  are  also  satisfied  for  {U' ,  V')  hence  the 
process  can  continue.  Thus  we  obtain  the  continued  fraction  expansion  of  our 
initial  r. 

Note  we  have  simply  repeated  the  proof  of  Proposition  5.6.6  (2)  that  if  a 
quadratic  form  /  =  ( V ,  U,  (U2—D)/(4V))  is  reduced,  then  p{f)  is  also  reduced. 
In  addition,  Proposition  5.6.3  tells  us  that  we  will  always  have  U  and  V  less 
than  \/D  if  we  start  with  a  reduced  form.  This  will  be  the  case  for  the  form 
corresponding  to  the  quadratic  number  r  =  \[D  —  [\/D\ .  If  we  denote  by  an 
(resp  Un,Vn,  rn),  the  different  quantities  a,  U,  V  and  r  occurring  in  the  above 
process,  we  have,  with  the  usual  notation  of  continued  fractions 


VD  =  [a0,  oi,  a2,  •  •  • ,  an  +  rn 


where  we  have  set  ao  =  [\/D\.  Hence,  if  we  set 

r„  1  P rt 

[do,  CL l,  *  *  ’  ,  dn J  —  , 

CJn 


we  have  the  usual  recursions 

(-Fn  +  l?  Qn  +  l)  =  CLn^-i(Pn ,  Qn)  (Pn— 1?  Qn  —  l) 

with  (P_i,  Q- 1)  =  (1, 0),  ( P0 ,  Q0)  =  (a0, 1). 

Returning  to  our  factoring  process,  we  apply  this  continued  fraction  al¬ 
gorithm  to  D  =  kN  for  squarefree  values  of  k  such  that  kN  =  0  or  1 
(mod  4).  Then  Pn/Qn  will  be  a  good  rational  approximation  to  V kN,  hence 
t  =  P2  —  Q^kN  will  not  be  too  large  (more  precisely  \t\  <  2 y/kN,  see  Propo¬ 
sition  5.7.3),  and  we  can  try  to  factor  it  on  our  factor  base.  For  every  success, 
we  obtain  a  congruence 

x2  =  {-irp\'pf---p^  (mod  N) 


as  above,  and  as  already  explained,  once  we  have  obtained  at  least  m  +  2 
such  congruences  then  by  Gaussian  elimination  over  Z/2Z  we  can  obtain  a 
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congruence  x2=y2( mod  N),  and  hence  (usually)  a  non-trivial  splitting  of  N. 


Remarks. 

(1)  For  a  prime  p  to  be  useful  in  our  factor  base  we  must  have  (^-)  =  0  or  1. 
Indeed,  if  p  \  P2  —  Q„kN,  we  cannot  have  p  |  Qn  otherwise  Pn  and  Qn 
would  not  be  coprime.  Hence  kN  is  congruent  to  a  square  modulo  p, 
which  is  equivalent  to  my  claim. 

(2)  An  important  improvement  to  the  method  of  factoring  on  a  fixed  factor 
base  is  to  use  the  so-called  large  prime  variation  which  is  as  follows.  A  large 
number  of  residues  will  not  quite  factor  completely  on  our  factor  base,  but 
will  give  congruences  of  the  form  x 2  =  Fp  (mod  N)  where  F  does  factor 
completely  and  p  is  a  large  prime  number  not  in  the  factor  base.  A  single 
such  relation  is  of  course  useless.  But  if  we  have  two  with  the  same  large 
prime  p,  say  x2  =  F\p  (mod  N )  and  x%  =  F2p  (mod  iV),  we  will  have 
{x\x2 /p)2  =  FiF2  (mod  N)  which  is  a  useful  relation. 

Now  since  p  is  large  (typically  more  than  105),  it  could  be  expected 
that  getting  the  same  p  twice  is  very  rare.  That  this  is  not  true  is  an 
instance  of  the  well  known  “birthday  paradox” .  What  it  says  in  our  case 
is  that  if  k  numbers  are  picked  at  random  among  integers  less  than  some 
bound  B,  then  if  k  >  B1!2  (approximately)  there  will  be  a  probability 
larger  than  1/2  that  two  of  the  numbers  picked  will  be  equal  (see  Exercise 
5).  Hence  this  large  prime  variation  will  give  us  quite  a  lot  of  extra  relations 
essentially  for  free. 

(3)  Another  important  improvement  to  CFRAC  is  the  so-called  early  abort 
strategy.  It  is  based  on  the  following  idea.  Most  of  the  time  is  being  spent 
in  the  factorization  of  the  residues  (this  is  why  methods  using  sieves  such  as 
MPQS  or  NFS  are  so  much  faster).  Instead  of  trying  to  factor  completely 
on  our  factor  base,  we  can  decide  that  if  after  a  number  of  primes  have 
been  tried  the  unfactored  portion  is  too  large,  then  we  should  abort  the 
factoring  procedure  and  generate  the  next  residue.  With  a  suitable  choice 
of  parameters,  this  gives  a  considerable  improvement. 

(4)  Finally,  note  that  the  final  Gaussian  elimination  over  Z/2Z  is  a  non-trivial 
task  since  the  matrices  involved  can  be  huge.  These  matrices  are  however 
very  sparse,  hence  special  techniques  apply.  See  for  example  the  “intel¬ 
ligent  Gaussian  elimination”  method  used  by  LaMacchia  and  Odlyzko 
([LaM-Odl]),  as  well  as  [Copl],  [Cop2]. 
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10.2  The  Class  Group  Method 

10.2.1  Sketch  of  the  Method 

The  continued  fraction  method,  as  well  as  the  more  recent  quadratic  sieve 
(Section  10.4)  or  number  field  sieve  (Section  10.5)  have  sub-exponential  run¬ 
ning  time,  which  make  them  quite  efficient,  but  require  also  sub-exponential 
space. 

The  class  group  method  due  to  Schnorr  and  Lenstra  was  the  first  sub¬ 
exponential  method  which  required  a  negligible  amount  of  space,  say  poly¬ 
nomial  space.  The  other  prominent  method  having  this  characteristic  is  the 
elliptic  curve  method  (see  Section  10.3). 

Note  that  we  name  this  method  after  Schnorr  and  Lenstra  since  they 
published  it  ([Schn-Len]),  but  essentially  the  same  method  was  independently 
discovered  and  implemented  by  Atkin  and  Rickert,  who  nicknamed  it  SPAR 
(Shanks,  Pollard,  Atkin,  Rickert). 

The  idea  of  the  method  is  as  follows.  We  have  seen  in  Section  8.6  that  the 
determination  of  the  2-Sylow  subgroup  of  the  class  group  of  the  quadratic  field 
Q(y/—N)  is  equivalent  to  knowing  all  the  factorizations  of  N.  In  a  manner 
analogous  to  the  continued  fraction  method,  we  consider  the  class  numbers 
h(—kN)  of  Q(\/—kN)  for  several  values  of  k.  Then,  if  h(—kN )  is  smooth,  we 
will  be  able  to  apply  the  p  —  1  method,  replacing  the  group  F*  by  the  class 

group  of  Q(y/—kN).  As  for  the  p  —  1  method,  this  will  enable  us  to  compute 
the  (unknown)  order  of  a  group,  the  only  difference  being  that  from  the  order 
of  F*  we  split  N  by  computing  a  GCD  with  N,  while  in  our  case  we  will  split 
N  by  using  ambiguous  forms. 

Since  we  will  use  p  —  1-type  methods,  we  need  to  specify  the  bounds  B\ 
(for  the  first  stage),  and  B2  (for  the  second  stage).  Since  we  have  a  large 
number  of  groups  at  our  disposal,  we  will  be  able  to  create  a  method  which 
will  be  a  systematic  factoring  method  by  choosing  B\  and  B2  appropriately, 
since  we  can  hope  that  h(—kN )  will  be  smooth  for  a  value  of  k  which  is  not 
too  large. 

To  choose  these  values  appropriately,  we  need  a  fundamental  theorem 
about  smooth  numbers.  The  upper  bound  was  first  proved  by  de  Bruijn  ([de- 
Bru]),  and  the  complete  result  by  Canfield,  Erdos  and  Pomerance  ([CEP]).  It 
is  as  follows. 

Theorem  10.2.1  (Canfield,  Erdos,  Pomerance).  Let 

ipix,  y)  =  \{n  <  x,n  is  y-smooth  }| . 

Then  if  we  set  u  =  Inx/lny,  we  have 

ip(x,y)  =  xu-u(1+o(1)) 

uniformly  for  x  — ►  00  if  (lnx)e  <  u  <  (In  x) 1-6  for  a  fixed  e  €  (0, 1). 
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In  particular,  if  we  set 


L(x )  =  e 


\/ln  x  In  In  x 


then 

ip(x,  L(x)a)  =  xL{x)-1/(^+0^\ 


Now  heuristic  methods  (see  Section  5.10  and  [Coh-Lenl])  seem  to  indicate 
that  class  numbers  are  not  only  as  smooth,  but  even  slightly  smoother  than 
average.  Furthermore,  it  is  not  difficult  to  see  that  there  is  little  quantitative 
difference  between  5-smoothness  and  5-powersmoothness.  Hence,  it  is  not  un¬ 
reasonable  to  apply  Theorem  10.2.1  to  estimate  the  behavior  of  powersmooth- 
ness  of  class  numbers.  In  addition,  the  class  number  h(—N )  is  0(N1^2+e)  (for 
example  h(—N )  <  ^-v/NTniV,  see  Exercise  27  of  Chapter  5). 

Hence,  if  we  take  x  =  y/N  and  B  =  L(x)a,  we  expect  that  the  probability 
that  a  given  class  number  of  size  around  x  is  5-powersmooth  should  be  at 
least  L(x)-1^2a)+°^1\  hence  the  expected  number  of  values  of  k  which  we  will 
have  to  try  before  hitting  a  5-powersmooth  number  should  be  approximately 
L(x)1^2a^+°^1\  (Note  that  the  class  number  h(—kN )  is  still  0(N1j/2+€ )  for 
such  values  of  k.)  Hence,  ignoring  step  2  of  the  p  —  1  algorithm  (which  in 
any  case  influences  only  on  the  O  constant,  not  the  exponents),  the  expected 
running  time  with  this  choice  of  B  is  0(L(x)a+1^2cil+0^),  and  this  is  minimal 
for  a  =  l/y/2.  Since  L(x)1/V^2  «  L(iV)1/2,  we  see  that  the  optimal  choice  of 
B  is  approximately  L(N )1/2,  and  the  expected  running  time  is  L(N)1+°^. 
Note  also  that  the  storage  is  negligible. 


10.2.2  The  Schnorr-Lenstra  Factoring  Method 

We  now  give  the  algorithm.  Note  that  contrary  to  the  p  —  1  method,  we  do 
not  need  to  do  any  backtracking  since  if  x  is  an  ambiguous  form  which  is  not 
the  unit  form  (i.e.  is  of  order  exactly  equal  to  2),  so  is  xr  for  any  odd  number 
r). 

Algorithm  10.2.2  (Schnorr-Lenstra).  Let  AT  be  a  composite  number.  This 
algorithm  will  attempt  to  split  N.  We  assume  that  we  have  precomputed  a  table 
p[l],  . . .  ,p[k ]  of  all  the  primes  up  to  L(iV)1/2. 

1.  [Initialize]  Set  B  <-  [L(N)^2\,  AT  <—  1,  e  <—  [lg5J. 

2.  [Initialize  for  K]  Let  D  =  —KN  if  KN  =  3  (mod  4),  D  =  —4 KN  otherwise. 

3.  [Choose  form]  Let  fp  be  a  random  primeform  of  discriminant  D  (see  Algorithm 
5.4.10).  Set  x  < —  fp,  c  < —  0  and  i  <—  1. 

4.  [Next  prime]  Set  i  <—  i  +  1.  If  i  >  k,  set  K  <—  K  +  1  and  go  to  step  2. 
Otherwise,  set  q  <—  p[i],  qi  *—  q,  l  <—  [B/q\. 
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5.  [Compute  power]  While  q\  <  l,  set  q\  *—  q  •  qi.  Then,  set  x  <—  xQl  (powering 
in  the  class  group),  c  <—  c  +  1  and  if  c  <  20  go  to  step  4. 

6.  [Success?]  Set  e\  <—  0,  and  while  x  is  not  an  ambiguous  form  and  e\  <  e  set 
x  <—  x2  and  e\  <—  ei  +  1.  Now  if  x  is  not  an  ambiguous  form,  set  c  *—  0,  and 
go  to  step  4. 

7.  [Finished?]  (Here  x  is  an  ambiguous  form.)  Find  the  factorization  of  KN 
corresponding  to  x.  If  this  does  not  split  N  (for  example  if  x  is  the  unit  form), 
go  to  step  3.  Otherwise,  output  a  non-trivial  factor  of  N  and  terminate  the 
algorithm. 

Note  that  if  in  step  7  we  obtain  an  ambiguous  form  which  does  not  succeed 
in  splitting  JV,  this  very  probably  still  means  that  the  K  used  is  such  that 
h(—KN)  is  J3-powersmooth.  Therefore  we  must  keep  this  value  of  K  and 
try  another  random  form  in  the  group,  but  we  should  not  change  the  group 
anymore.  Note  also  that  the  first  prime  tried  in  step  4  is  p[2]  =  3,  and  not 
p[l]  =  2. 

To  give  a  numerical  example  of  the  numbers  involved,  for  N  =  1060,  which 
is  about  the  maximum  size  of  numbers  which  one  can  factor  in  a  reasonable 
amount  of  time  with  this  method,  we  have  B  «  178905,  and  since  we  need 
the  primes  only  up  to  B ,  this  is  quite  reasonable.  In  fact,  it  is  better  to  take 
a  lower  value  of  J?i  =  B ,  and  use  the  second  stage  of  the  p  —  1  method  with 
quite  a  larger  value  for  B2.  This  reduces  the  expected  running  time  of  the 
algorithm,  but  the  optimal  values  to  take  are  implementation  dependent.  We 
leave  as  an  exercise  for  the  reader  the  incorporation  of  step  2  of  the  p  —  1 
method  into  this  algorithm,  using  these  remarks  (see  Exercise  2). 

As  in  all  algorithms  using  class  groups  of  quadratic  fields,  the  basic  opera¬ 
tion  in  this  algorithm  is  composition  of  quadratic  forms.  Even  with  the  use  of 
optimized  methods  like  NUDUPL  and  NUCOMP  (Algorithms  5.4.8  and  5.4.9), 
this  is  still  a  slow  operation.  Hence,  although  this  method  is  quite  attractive 
because  of  its  running  time,  which  is  as  good  as  all  the  other  modern  factoring 
algorithms  with  the  exception  of  the  number  field  sieve,  and  although  it  uses 
little  storage,  to  the  author’s  knowledge  it  has  never  been  used  intensively  in 
factoring  projects.  Indeed,  the  elliptic  curve  method  for  instance  has  the  same 
characteristics  as  the  present  one  as  far  as  speed  and  storage  are  concerned, 
but  the  group  operations  on  elliptic  curves  can  be  done  faster  than  in  class 
groups,  especially  when  (as  will  be  the  case),  several  curves  have  to  be  dealt 
with  simultaneously  (see  Section  10.3). 

Also  note  that  it  has  been  proved  by  Lenstra  and  Pomerance  that  for 
composite  numbers  of  a  special  form  the  running  time  of  this  algorithm  is 
very  poor  (i.e.  exponential  time). 


484 


10  Modern  Factoring  Methods 


10.3  The  Elliptic  Curve  Method 

10.3.1  Sketch  of  the  Method 

We  now  come  to  another  method  which  also  uses  ideas  from  the  p  —  1-method, 
but  uses  the  group  of  points  of  an  elliptic  curve  over  Z/pZ  instead  of  the 
group  (Z/pZ)*.  This  method,  due  to  H.  W.  Lenstra,  is  one  of  the  three  main 
methods  in  use  today,  together  with  the  quadratic  sieve  (see  Section  10.4)  and 
the  number  field  sieve  (see  Section  10.5).  In  addition  it  possesses  a  number  of 
properties  which  make  it  useful  even  if  it  is  only  used  in  conjunction  with  other 
algorithms.  Like  the  class  group  method,  it  requires  little  storage  and  has  a 
similar  expected  running  time.  Unique  among  modern  factoring  algorithms 
however,  it  is  sensitive  to  the  size  of  the  prime  divisors.  In  other  words,  its 
running  time  depends  on  the  size  of  the  smallest  prime  divisor  p  of  N,  and 
not  on  N  itself.  Hence,  it  can  be  profitably  used  to  remove  “small”  factors, 
after  having  used  trial  division  and  the  Pollard  p  method  8.5.2.  Without  too 
much  trouble,  it  can  find  prime  factors  having  10  to  20  decimal  digits.  On  the 
other  hand,  it  very  rarely  finds  prime  factors  having  more  than  30  decimal 
digits.  This  means  that  if  N  is  equal  to  a  product  of  two  roughly  equal  prime 
numbers  having  no  special  properties,  the  elliptic  curve  method  will  not  be 
able  to  factor  N  if  it  has  more  than,  say,  70  decimal  digits.  In  this  case,  one 
should  use  the  quadratic  sieve  or  the  number  field  sieve. 

We  now  describe  the  algorithm.  As  in  the  class  group  algorithm,  for  sim¬ 
plicity  we  give  only  the  version  which  uses  stage  1  of  the  p  —  1-method,  the 
extension  to  stage  2  being  straightforward. 

Recall  that  the  group  law  on  an  elliptic  curve  of  the  form  y 2  =  x3+ax+b  is 
given  by  formulas  which  generically  involve  the  expression  (p2  —  2/i ) / (#2  —  xi). 
This  makes  perfect  sense  in  a  field  (when  X2  ^  xi),  but  if  we  decide  to  work 
in  Z/iVZ,  this  will  not  always  make  sense  since  X2  —  xi  will  not  always  be 
invertible  when  X2  ^  x\.  But  this  is  exactly  the  point:  if  X2  —  X\  is  not 
invertible  in  Z/iVZ  with  X2  ^  xi,  this  means  that  (x2  —  xi ,N)  is  a  non-trivial 
divisor  of  N ,  and  this  is  what  we  want.  Hence  we  are  going  to  work  on  an 
elliptic  curve  modulo  N  (whatever  that  is,  we  will  define  it  in  Section  10.3.2), 
and  work  as  if  AT  is  prime.  Everything  will  work  out  as  long  as  every  non-zero 
number  modulo  N  that  we  encounter  is  invertible.  As  soon  as  it  does  not  work 
out,  we  have  found  a  non-trivial  factorization  of  N.  At  this  point,  the  reader 
may  wonder  what  elliptic  curves  have  to  do  with  all  this.  We  could  just  as  well 
choose  numbers  x  at  random  modulo  N  and  compute  (x,  N),  hoping  to  find 
a  non-trivial  divisor  of  N.  It  is  easy  to  see  that  this  would  be  a  0(iV1/2+e) 
algorithm,  totally  unsuitable.  But  if  N  has  a  prime  divisor  p  such  that  our 
elliptic  curve  E  has  a  smooth  number  of  points  modulo  p,  the  p  —  1-method 
will  discover  this  fact,  i.e.  find  a  power  of  a  point  giving  the  unit  element  of 
the  curve  modulo  p.  This  means  that  we  will  have  some  x\  and  X2  such  that 
xi  =  X2  (mod  p),  hence  (x2  —  xi,N)  >  1,  and  as  with  all  these  methods,  this 
is  in  fact  equal  to  a  non-trivial  divisor  of  N.  This  means  it  is  reasonable  to 
expect  that  something  will  break  down,  which  is  what  we  hope  in  this  case. 
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Before  turning  to  the  detailed  description  of  the  algorithm,  it  is  instructive 
to  compare  the  different  methods  using  the  p  —  1-idea.  For  this  discussion,  we 
assume  that  we  obtain  exactly  the  prime  p  which  is  at  the  basis  of  the  method. 
Let  B  be  the  stage  1  bound,  M  =  lcm[l..B],  and  let  G  be  the  underlying  group 
and  a  an  element  of  G. 

(1)  In  the  p  —  1  method  itself  (or  its  variants  like  the  p  +  1  method),  G  =  F* 
(or  G  =  F*2),  and  we  obtain  p  directly  as  gcd(aM  —  1,  N). 

(2)  In  the  class  group  method,  G  —  Cl(<Q>(^—KN))  for  a  suitable  K,  and  we 
obtain  p  indirectly  through  the  correspondence  between  a  factorization 
KN  =  p  ■  KN/p  and  some  ambiguous  forms  x  in  G,  which  is  obtained  as 
aM/2  for  a  suitable  value  of  t. 

(3)  In  the  elliptic  curve  method,  G  =  J5(FP)  and  we  obtain  p  indirectly  because 
of  the  impossibility  of  computing  aM  modulo  N  (that  is,  we  encountered 
a  non-in vertible  element). 

We  see  that  the  reasons  why  we  obtain  the  factorization  of  N  are  quite 
diverse.  The  running  time  is  essentially  governed  by  the  abundance  of  smooth 
numbers,  i.e.  by  the  theorem  of  Canfield,  Erdos  and  Pomerance,  and  so  it 
is  not  surprising  that  the  running  time  of  the  elliptic  curve  method  will  be 
similar  to  that  of  the  class  group  method,  with  the  important  difference  of 
being  sensitive  to  the  size  of  p. 


10.3.2  Elliptic  Curves  Modulo  N 

Before  giving  the  details  of  the  method,  it  is  useful  to  give  some  idea  of 
projective  geometry  over  Z/NZ  when  N  is  not  a  prime.  When  N  is  a  prime, 
the  projective  line  over  Z/NZ  can  simply  be  considered  as  the  set  Z/NZ  to 
which  is  added  a  single  “point  at  infinity” ,  hence  has  N  +  1  elements.  When 
N  is  not  a  prime,  the  situation  is  more  complicated. 

Definition  10.3.1.  We  define  projective  n-space  over  Z/NZ  as  follows. 

Let  E  =  {(rrojXi, . . .  ,xn)  G  (Z/NZ)n+1,  gcd(x0,a;i, . . .  ,xn,N)  =  1}.  If 
7 Z  is  the  relation  on  E  defined  by  multiplication  by  an  invertible  element  of 
Z/NZ,  then  7Z  is  an  equivalence  relation,  and  we  define 

Fn{Z/NZ)  =  E/IZ, 

i.e.  the  set  of  equivalence  classes  of  E  modulo  the  relation  71. 

We  will  denote  by  ( xq  :  xi  :  •  ■  ■  :  xn )  the  equivalence  class  in  Pn(Z/iVZ) 
of{x  o,Xi,...,Zn). 


Remarks. 

(1)  Note  that  even  though  the  x^  are  in  Z/NZ,  it  makes  sense  to  take  their 
GCD  together  with  N  by  taking  any  representatives  in  Z  and  then  com¬ 
puting  the  GCD. 
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(2)  We  recover  the  usual  definition  of  projective  n-space  over  a  field  when  N 
is  prime. 

(3)  The  set  (Z/-/VZ)n  can  be  naturally  embedded  into  Pn(Z/7VZ)  by  sending 
(xo,Xi,  •  •  •  ,£n-i)  to  (x0  :  xi  :  ■  •  •  :  xn_i  :  1).  This  subset  of  Pn(Z/iVZ)  will 
be  called  for  our  purposes  its  affine  subspace,  and  denoted  PAff(Z/iVZ), 
although  it  is  not  canonically  defined. 

(4)  If  p  is  a  prime  divisor  of  N  (or  in  fact  any  divisor),  there  exists  a  nat¬ 
ural  map  from  Pn(Z/iVZ)  to  Pn(Z/pZ)  induced  by  reducing  projective 
coordinates  modulo  p.  Then  P  belongs  to  PAff(Z/iVZ)  if  and  only  if  the 
reduction  of  P  modulo  every  prime  divisor  p  of  N  belongs  to  PAff(Z/pZ). 

(5)  When  N  is  a  prime,  we  have  a  natural  decomposition  Pn(Z/iVZ)  = 
PAff(Z/iVZ)  U  Pn_i(Z/iVZ),  by  identifying  (x0  :  xi  :  •••  :  xn_i)  with 
(xo  :  X\  :  •  •  •  :  xn_i  :  0).  In  the  general  case,  this  is  no  longer  true.  We  can 
still  make  the  above  identification  of  Pn-i  with  a  subspace  of  Pn.  (It  is 
easy  to  check  that  it  is  compatible  with  the  equivalence  relation  defining 
the  projective  spaces.)  There  is  however  a  third  subset  which  enters,  made 
up  of  points  P  =  (xo  :  xi  :  •  •  •  :  xn)  such  that  xn  is  neither  invertible  nor 
equal  to  0  modulo  iV,  i.e.  such  that  (xn,  N)  is  a  non-trivial  divisor  of  N. 
We  will  call  this  set  the  special  subset ,  and  denote  it  by  P*  (Z/iVZ).  For 
any  subset  E  of  Pn(Z/iVZ)  we  will  denote  by  EAXI,  En-\  and  Es  the  in¬ 
tersection  of  E  with  PAff,  Pn-i  and  P®  respectively.  Hence,  we  have  the 
disjoint  union 

£  =  £AffU£n_iU£s. 


Let  us  give  an  example.  The  projective  line  over  Z/6Z  has  12  elements, 
which  are  (0  :  1),  (1  :  1),  (2  :  1),  (3  :  1),  (4  :  1),  (5  :  1),  (1  :  2),  (3  :  2), 
(5  :  2),  (1  :  3),  (2  :  3)  and  (1  :  0)  (denoting  by  the  numbers  0  to  5  the 
elements  of  Z/6Z).  The  first  6  elements  make  up  the  affine  subspace,  and  the 
last  element  (1  :  0)  corresponds  to  the  usual  point  at  infinity,  i.e.  to  Po-  The 
other  5  elements  are  the  special  points. 

It  is  clear  that  finding  an  element  in  the  special  subset  of  Pn(Z/iVZ) 
will  immediately  factor  N ,  hence  the  special  points  are  the  ones  which  are 
interesting  for  factoring. 

We  leave  as  an  exercise  for  the  reader  to  show  that 

|P„(Z/JVZ)|  =  JV"  n  (l  +  i  +  •  •  •  + 
pjiv  V  p  p 

and  in  particular 

ipl(z/^z)i=jvn(i+^) 

p\N  ^  P' 

(see  Exercise  6). 

Definition  10.3.2.  Let  N  be  a  positive  integer  coprime  to  6.  We  define  an 
elliptic  curve  E  over  Z/iVZ  as  a  projective  equation  of  the  form 
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y2t  =  x3  4-  axt2  4-  bt 3 

where  (x  :  y  :  t)  are  the  projective  coordinates,  and  a  and  b  are  elements  of 
Z/NZ  such  that  4 a3  +  27b2  is  invertible  modulo  N. 


As  usual,  by  abuse  of  notation  we  shall  use  affine  equations  and  affine 
coordinates  even  though  it  is  understood  that  we  work  in  the  projective  plane. 

Now  if  N  is  a  prime,  the  above  definition  is  indeed  the  definition  of  an 
elliptic  curve  over  the  field  Fjy.  When  N  is  not  a  prime  the  reduction  maps 
modulo  the  prime  divisors  p  of  N  clearly  send  E(Z/NZ)  into  E{ZfpZ).  (Note 
that  the  condition  that  4a3  +  27b2  is  invertible  modulo  N  ensures  that  the 
reduced  curves  will  all  be  elliptic  curves.)  Hence,  as  with  any  other  set  we  can 
write 

E(Z/NZ)  =  EAf*  U  Ei  U  Es  , 

and  Es  is  the  set  of  points  (x  :  y  :  t)  such  that  t  is  neither  invertible  nor  equal 
to  0  modulo  N.  This  means,  in  particular,  that  the  reduction  of  (x  :  y  :  t) 
modulo  p  will  not  always  be  in  the  affine  part  modulo  p. 

Warning.  Note  that  if  the  reduction  of  (x  :  y  :  t)  modulo  every  prime 
divisor  p  of  N  is  the  point  at  infinity,  this  does  not  imply  that  t  is  equal  to  0 
modulo  N.  What  it  means  is  that  t  is  divisible  by  all  the  primes  dividing  N, 
and  this  implies  t  =  0  (mod  N)  only  if  N  is  squarefree. 

Now  we  can  use  the  addition  laws  given  by  Proposition  7.1.7  to  try  and 
define  a  group  law  on  E(Z/NZ).  They  will  of  course  not  work  as  written, 
since  even  if  xi  ^  x2,  —X2  may  not  be  invertible  modulo  N.  There  are  two 

ways  around  this.  The  first  one,  which  we  will  not  use,  is  to  define  the  law  on 
the  projective  coordinates.  This  can  be  done,  and  involves  essentially  looking 
at  9  different  cases  (see  [Bos]).  We  then  obtain  a  true  group  law,  and  on  the 
affine  part  it  is  clear  that  the  reduction  maps  modulo  p  are  compatible  with 
the  group  laws. 

The  second  way  is  to  stay  ignorant  of  the  existence  of  a  complete  group  law. 
After  all,  we  only  want  to  factor  N.  Hence  we  use  the  formulas  of  Proposition 
7.1.7  as  written.  If  we  start  with  two  points  in  the  affine  part,  their  sum  P 
will  either  be  in  the  affine  part,  or  of  the  form  (x  :  y  :  0)  (i.e.  belong  to 
Ei),  or  finally  in  the  special  part.  If  P  is  in  the  special  part,  we  immediately 
split  N  since  (£,  N)  is  a  non-trivial  factor  of  N.  If  P  =  (x  :  y  :  0),  then 
note  that  since  P  €  E(Z/NZ)  we  have  x3  =  0  (mod  N).  Then  either  x  =  0 
(mod  N),  corresponding  to  the  non-special  point  at  infinity  of  E,  or  (x,  N )  is 
a  non-trivial  divisor  of  N,  and  again  we  will  have  succeeded  in  splitting  N. 


10.3.3  The  ECM  Factoring  Method  of  Lenstra 

Before  giving  the  algorithm  in  detail,  we  must  still  settle  a  few  points.  First, 
we  must  explain  how  to  choose  the  elliptic  curves,  and  how  to  choose  the  stage 
1  bound  B. 
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As  for  the  choice  of  elliptic  curves,  one  can  simply  choose  y2  =  x3  4-  ax  + 1 
which  has  the  point  (0  :  1  :  1)  on  it,  and  a  is  small.  For  the  stage  1  bound, 
since  the  number  of  points  of  E  modulo  p  is  around  p  by  Hasse’s  theorem,  one 
expects  E(Z/pZ)  to  be  L(p)a-powersmooth  with  probability  L(p)~1^2a^+0^ 
by  the  Canfield-Erdos-Pomerance  theorem,  hence  if  we  take  B  =  L(p)a  we 
expect  to  try  L(p)1^2a^+°^  curves  before  getting  a  smooth  order,  giving  as 
total  amount  of  work  L(p)a+1^2a^+°^  group  operations  on  the  curve.  This  is 
minimal  for  a  =  l/y/2,  giving  a  running  time  of  L(p)y^2+°^  group  operations. 

Since,  when  N  is  composite,  there  exists  a  p  \  N  with  p  <  \/N,  this  gives 
the  announced  running  time  of  L(N)1+°^\  But  of  course  what  is  especially 
interesting  is  that  the  running  time  depends  on  the  size  of  the  smallest  prime 
factor  of  AT,  hence  the  ECM  can  be  used  in  a  manner  similar  to  trial  division. 
In  particular,  contrary  to  the  class  group  method,  the  choice  of  B  should  be 
done  not  with  respect  to  the  size  of  N ,  but,  as  in  the  original  p  —  1  method, 
with  respect  to  the  amount  of  time  that  one  is  willing  to  spend,  more  precisely 
to  the  approximate  size  of  the  prime  p  one  is  willing  to  look  for. 

For  example,  if  we  want  to  limit  our  search  to  primes  less  than  1020, 
one  can  take  B  =  12000  since  this  is  close  to  the  value  of  L(102O)1/v/2,  and 
we  expect  to  search  through  12000  curves  before  successfully  splitting  N.  Of 
course,  in  actual  practice  the  numbers  will  be  slightly  different  since  we  will 
also  use  stage  2.  The  algorithm  is  then  as  follows. 

Algorithm  10.3.3  (Lenstra’s  ECM).  Let  N  be  a  composite  integer  coprime 
to  6,  and  B  be  a  bound  chosen  as  explained  above.  This  algorithm  will  attempt 
to  split  N.  We  assume  that  we  have  precomputed  a  table,  p[l],  ....  p[k]  of  all  the 
primes  up  to  B. 

1.  [Initialize  curves]  Set  a  <—  0  and  let  E  be  the  curve  y2t  =  x3  4-  axt2  -F  t3. 

2.  [Initialize]  Set  x  <—  (0  :  1  :  1),  i  <—  0. 

3.  [Next  prime]  Set  i  <—  i  +  1.  If  i  >  k,  set  a  <—  a+1  and  go  to  step  2.  Otherwise, 
set  q  +-  p[i],  qx  <-  q,  l  *-  [B/q\. 

4.  [Compute  power]  While  q\<l,set  q\  <—  q-q\.  Then,  try  to  compute  x  <—  qi -x 
(on  the  curve  E)  using  the  law  given  by  Proposition  7.1.7.  If  the  computation 
never  lands  in  the  set  of  special  points  or  the  n  —  1  part  of  E  (i.e.  if  one  does 
not  hit  a  non-invertible  element  t  modulo  N),  go  to  step  3. 

5.  [Finished?]  (Here  the  computation  has  failed,  which  is  what  we  want.)  Let  t 
be  the  non-invertible  element.  Set  g  <—(t,N )  (which  will  not  be  equal  to  1). 
If  g  <  N,  output  g  and  terminate  the  algorithm.  Otherwise,  set  a  <—  a  +  1  and 
go  to  step  2. 

Note  that  when  g  =  N  in  step  5,  this  means  that  our  curve  has  a  smooth 
order  modulo  p,  hence,  as  with  the  class  group  algorithm,  we  should  keep  the 
same  curve  and  try  another  point.  Finding  another  point  may  however  not  be 
easy  since  N  is  not  prime,  so  there  is  no  easy  way  to  compute  a  square  root 
modulo  N  (this  is  in  fact  essentially  equivalent  to  factoring  AT,  see  Exercise 
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1).  Therefore  we  have  no  other  choice  but  to  try  again.  As  usual,  this  is  an 
exceedingly  rare  occurrence,  and  so  in  practice  it  does  not  matter. 

10.3.4  Practical  Considerations 

The  ECM  algorithm  as  given  above  in  particular  involves  one  division  modulo 
N  per  operation  on  the  elliptic  curve,  and  this  needs  approximately  the  same 
time  as  computing  a  GCD  with  N.  Thus  we  are  in  a  similar  situation  to  the 
Schnorr-Lenstra  Algorithm  10.2.2  where  the  underlying  group  is  a  class  group 
and  the  group  operation  is  composition  of  quadratic  forms,  which  also  involves 
computing  one,  and  sometimes  two  GCD’s.  Hence,  outside  from  the  property 
that  ECM  usually  gives  small  factors  faster,  it  seems  that  the  practical  running 
time  should  be  slowed  down  for  the  same  reason,  i.e.  the  relative  slowness  of 
the  group  operation. 

In  the  case  of  the  ECM  method  however,  many  improvements  are  possible 
which  do  not  apply  to  the  class  group  method.  The  main  point  to  notice  is  that 
here  all  the  GCD’s  (or  extended  GCD’s)  are  with  the  same  number  N.  Hence, 
we  can  try  grouping  all  these  extended  GCD’s  by  working  with  several  curves 
in  parallel.  That  this  can  easily  be  done  was  first  noticed  by  P.  Montgomery. 
We  describe  his  trick  as  an  algorithm. 

Algorithm  10.3.4  (Parallel  Inverse  Modulo  N).  Given  a  positive  integer  N 
and  k  integers  a\,  ,  a k  which  are  not  divisible  by  N,  this  algorithm  either 

outputs  a  non-trivial  factor  of  N  or  outputs  the  inverses  fci,  . . .  ,  bk  of  the  a* 
modulo  N . 

1.  [Initialize]  Set  c\  <—  a\  and  for  i  =  2, . . . ,  k  set  c*  <—  c*_ i  •  a*  mod  N. 

2.  [Apply  Euclid]  Using  one  of  Euclid’s  extended  algorithms  of  Section  1.3,  com¬ 
pute  ( u,v,d )  such  that  uck  4-  vN  =  d  and  d  =  (ck,N).  If  d  =  1  go  to  step 

3.  Otherwise,  if  d  =  N,  then  set  d  <—  ( a*, AT )  for  i  =  1  ,...,&  until  d  >  1 
(this  will  happen).  Output  d  as  a  non-trivial  factor  of  N  and  terminate  the 
algorithm. 

3.  [Compute  inverses]  For  i  =  k,  k  —  1,  . . .  i  =  2  do  the  following.  Output 
bi  <—  uci-i  mod  N,  and  set  u  ita*  mod  N.  Finally,  output  &i  <—  u  and 
terminate  the  algorithm. 

Proof.  We  clearly  have  c»  =  a\  •  •  •  a*  mod  N,  hence  at  the  beginning  of  step  3 
we  have  u  =  (ai  •  ■  •  a*)-1  mod  TV,  showing  that  the  algorithm  is  valid.  □ 

Let  us  see  the  improvements  that  this  algorithm  brings.  The  naive  method 
would  have  required  k  extended  Euclid  to  do  the  job.  The  present  algorithm 
needs  only  1  extended  Euclid,  plus  3k  —  3  multiplications  modulo  N.  Hence, 
it  is  superior  as  soon  as  1  extended  Euclid  is  slower  than  3  multiplications 
modulo  AT,  and  this  is  almost  always  the  case. 

Now  recall  from  Chapter  7  that  the  computation  of  the  sum  of  two  points 
on  an  elliptic  curve  y 2  =  x3  +  ax  +  b  requires  the  computation  of  m  =  (y2  — 
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yi ) (x2  —  xi)_1  if  the  points  are  distinct,  m  =  (3x2  +  a)(2t/i)-1  if  the  points 
coincide,  plus  2  multiplications  modulo  N  and  a  few  additions  or  subtractions. 
Since  the  addition/subtraction  times  are  small  compared  to  multiplication 
modulo  N,  we  see  that  by  using  Montgomery’s  trick  on  a  large  number  C  of 
curves,  the  actual  time  taken  for  a  group  operation  on  the  curve  in  the  context 
of  the  ECM  method  is  6 +T/C  multiplications  modulo  N  when  the  points  are 
distinct,  or  7  +  T/C  when  they  are  equal,  where  T  is  the  ratio  between  the 
time  of  an  extended  GCD  with  N  and  the  time  of  a  multiplication  modulo  N. 
(Incidentally,  note  that  in  every  other  semi-group  that  we  have  encountered, 
including  Z,  R,  Z[X]  or  even  class  groups,  squaring  is  always  faster  than 
general  multiplication.  In  the  case  of  elliptic  curves,  it  is  the  opposite.)  If  we 
take  C  large  enough  (say  C  =  50)  this  gives  numbers  which  are  not  much 
larger  than  6  (resp.  7),  and  this  is  quite  reasonable. 

Another  way  to  speed  up  group  computations  on  elliptic  curves  modulo 
N  is  to  use  projective  coordinates  instead  of  affine  ones.  The  big  advantage 
is  then  that  no  divisions  modulo  N  are  required  at  all.  Unfortunately,  since 
we  must  now  keep  track  of  three  coordinates  instead  of  two,  the  total  number 
of  operations  increases,  and  the  best  that  one  can  do  is  12  multiplications 
modulo  N  when  the  points  are  distinct,  13  when  they  are  equal  (see  Exercise 
3).  Thanks  to  Montgomery’s  trick,  this  is  worse  than  the  affine  method  when 
we  work  on  many  curves  simultaneously. 

By  using  other  parametrizations  of  elliptic  curves  than  the  Weierstrafi 
model  y2  =  x3  +  ax  +  6,  one  can  reduce  the  number  12  to  9  (see  [Chu]  and 
Exercise  4),  but  this  still  does  not  beat  the  6  +  T/C  above  when  C  is  large. 
Hence,  in  practice  I  suggest  using  affine  coordinates  on  the  Weierstrafi  equation 
and  Montgomery’s  trick. 

Finally,  as  for  the  class  group  method,  it  is  necessary  to  include  a  stage  2 
into  the  algorithm,  as  for  the  p  —  1  method.  The  details  are  left  to  the  reader 
(see  [Mon2],  [Bre2]). 

As  a  final  remark  in  this  section,  we  note  that  one  can  try  to  use  other 
algebraic  groups  than  elliptic  curves,  for  example  Abelian  varieties.  D.  and 
G.  Chudnovsky  have  explored  this  (see  [Chu]),  but  since  the  group  law  requires 
a  lot  more  operations  modulo  N,  this  does  not  seem  to  be  useful  in  practice. 


10.4  The  Multiple  Polynomial  Quadratic  Sieve 

We  now  describe  the  quadratic  sieve  factoring  algorithm  which,  together  with 
the  elliptic  curve  method,  is  the  most  powerful  general  factoring  method  in 
use  at  this  time  (1994).  (The  number  field  sieve  has  been  successfully  applied 
to  numbers  of  a  special  form,  the  most  famous  being  the  ninth  Fermat  number 
22  +  1  =  2512  + 1,  a  155  digit  number,  but  for  general  numbers,  the  quadratic 
sieve  is  still  more  powerful  in  the  feasible  range.)  This  method  is  due  to  C. 
Pomerance,  although  some  of  the  ideas  were  already  in  Kraitchik. 
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10.4.1  The  Basic  Quadratic  Sieve  Algorithm 

As  in  the  continued  fraction  method  CFRAC  explained  in  Section  10.1,  we 
look  for  many  congruences  of  the  type 

=  (mod  AT) 

where  the  Pi  are  “small”  prime  numbers,  and  if  we  have  enough,  a  Gaussian 
stage  will  give  us  a  non-trivial  congruence  x 2  =  y2  (mod  N )  and  hence  a 
factorization  of  N.  The  big  difference  with  CFRAC  is  the  way  in  which  the 
congruences  are  generated.  In  CFRAC,  we  tried  to  keep  x2  mod  N  as  small  as 
possible  so  that  it  would  have  the  greatest  possible  chance  of  factoring  on  our 
factor  base  of  p*.  We  of  course  assume  that  N  is  not  divisible  by  any  element 
of  the  factor  base. 

Here  we  still  want  the  x2  mod  N  to  be  not  too  large  but  we  allow  residues 
larger  than  y/N  (although  still  0(N1/2+€).  The  simplest  way  to  do  this  is  to 
consider  the  polynomial 


-  N. 


It  is  clear  that  Q(a)  =  x2  (mod  N )  for  x  =  [v^J  +  a  and  as  long  as  a  = 

0(Ne),  we  will  have  Q(a)  =  0(Nl/2+€). 

Although  this  is  a  simpler  and  more  general  way  to  generate  small  squares 
modulo  N  than  CFRAC,  it  is  not  yet  that  interesting.  The  crucial  point,  from 
which  part  of  the  name  of  the  method  derives,  is  that  contrary  to  CFRAC 
we  do  not  need  to  (painfully)  factor  all  these  x2  mod  N  over  the  factor  base. 
(In  fact,  most  of  them  do  not  factor  so  this  would  represent  a  waste  of  time.) 
Here,  since  Q(a )  is  a  polynomial  with  integer  coefficients,  we  can  use  a  sieve. 
Let  us  see  how  this  works.  Assume  that  for  some  number  m  we  know  that 
m  |  Q{a).  Then,  for  every  integer  k ,  m  \  Q(a  +  km)  automatically.  To  find 
an  a  (if  it  exists)  such  that  m  \  Q(a)  is  of  course  very  easy  since  we  solve 
x2  =  N  (mod  m)  using  the  algorithm  of  Exercise  30  of  Chapter  1,  and  take 


a  —  x 


VN  mod 


m. 


Since  we  are  going  to  sieve,  without  loss  of  generality  we  can  restrict  to 
sieving  with  prime  powers  m  =  pk.  Ifp  is  an  odd  prime,  then  x2  =  N  (mod  pk) 
has  a  solution  (in  fact  two)  if  and  only  if  (^)  =  1,  so  we  include  only  those 
primes  in  our  factor  base  (this  was  also  the  case  in  the  CFRAC  algorithm) 
and  we  compute  explicitly  the  two  possible  values  of  a  (mod  pk )  such  that 
pk  |  Q(a),  say  apk  and  bpk.  If  p  =  2  and  k  >  3,  then  x2  =  N  (mod  2k )  has 
a  solution  (in  fact  four)  if  and  only  if  JV  =  1  (mod  8)  and  we  again  compute 
them  explicitly.  Finally,  if  p  =  2  and  k  =  2,  we  take  x  =  1  if  N  =  1  (mod  4) 
(otherwise  a  does  not  exist)  and  if  p  =  2  and  k  =  1  we  take  x  =  1. 

Now  for  a  in  a  very  long  interval  (the  sieving  interval),  we  compute  very 
crudely  In  |Q(o)|.  (As  we  will  see,  an  absolute  error  of  1  for  instance  is  enough, 
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hence  we  certainly  will  not  use  the  internal  floating  point  log  but  some  ad  hoc 
program.)  We  then  store  this  in  an  array  indexed  by  a.  For  every  prime  p  in 
our  factor  base,  and  more  generally  for  small  prime  powers  when  p  is  small  (a 
good  rule  of  thumb  is  to  keep  all  possible  pk  less  than  a  certain  bound),  we 
subtract  a  crude  approximation  to  lnp  to  every  element  of  the  array  which 
is  congruent  to  apk  or  to  bpk  modulo  pk  (this  is  the  sieving  part).  When  all 
the  primes  of  the  factor  base  have  been  removed  in  this  way,  it  is  clear  that 
a  Q  (a)  will  factor  on  our  factor  base  if  and  only  if  what  remains  at  index  a 
in  our  array  is  close  to  0  (if  the  logs  were  exact,  it  would  be  exactly  zero).  In 
fact,  if  Q(a )  does  not  factor  completely,  then  the  corresponding  array  element 
will  be  at  least  equal  to  In  B  (where  B  is  the  least  prime  which  we  have  not 
included  in  our  factor  base),  and  since  this  is  much  larger  than  1  this  explains 
why  we  can  take  very  crude  approximations  to  logs. 

It  can  be  shown  on  heuristic  grounds,  again  using  the  theorem  of  Canfield, 
Erdos  and  Pomerance,  that  using  suitable  sieving  intervals  and  factor  bases, 
the  running  time  is  of  the  form  0(L(N)1+0 W).  Although  this  is  comparable 
to  the  class  group  or  ECM  methods,  note  that  the  basic  operation  in  the 
quadratic  sieve  is  a  single  precision  subtraction,  and  it  is  difficult  to  have  a 
faster  basic  operation  than  that!  As  a  consequence,  for  practical  ranges  (say  up 
to  100  decimal  digits)  the  quadratic  sieve  runs  faster  than  the  other  methods 
that  we  have  seen,  although  as  already  explained,  ECM  may  be  lucky  if  N 
has  a  relatively  small  prime  divisor. 

The  method  that  we  have  just  briefly  explained  is  the  basic  quadratic 
sieve  (QS).  Many  improvements  are  possible.  The  two  remarks  made  at  the 
end  of  Section  10.1  also  apply  here.  First,  only  primes  p  such  that  p  =  2 
or  (y)  =  1  need  to  be  taken  in  the  prime  base  (or  more  generally  (^)  = 
0  or  1  if  a  multiplier  is  used).  Second,  the  large  prime  variation  is  just  as 
useful  here  as  before.  (This  is  also  the  case  for  the  number  field  sieve,  and 
more  generally  for  any  algorithm  which  uses  in  some  way  factor  bases,  for 
example  McCurley  or  Buchmann’s  sub-exponential  algorithms  for  class  group 
and  regulator  computation.) 

10.4.2  The  Multiple  Polynomial  Quadratic  Sieve 

There  is  however  a  specific  improvement  to  the  quadratic  sieve  which  explains 
the  first  two  words  of  the  complete  name  of  the  method  (MPQS).  The  poly¬ 
nomial  Q(a)  introduced  above  is  nice,  but  unfortunately  it  stands  all  alone, 
hence  the  values  of  Q(a)  increase  faster  than  we  would  like.  The  idea  of  the 
Multiple  Polynomial  Quadratic  Sieve  is  to  use  several  polynomials  Q  so  that 
the  size  of  Q(a)  can  be  kept  as  small  as  possible.  The  following  idea  is  due  to 
P.  Montgomery. 

We  will  take  quadratic  polynomials  of  the  form  Q(x )  =  Ax 2  +  2 Bx  +  C 
with  A  >  0,  B2  —  AC  >  0  and  such  that  N  \  B2  —  AC.  This  gives  congruences 
just  as  nicely  as  before  since 

AQ{x)  =  (Ax  +  B)2  -  ( B 2  -  AC)  =  (Ax  +  B )2  (mod  N). 
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In  addition,  we  want  the  values  of  Q(x)  to  be  as  small  as  possible  on  the 
sieving  interval.  If  we  want  to  sieve  on  an  interval  of  length  2 M,  it  is  therefore 
natural  to  center  the  interval  at  the  minimum  of  the  function  Q,  i.e.  to  sieve 
in  the  interval 

I  =  [-B/A  -  M-B/A  +  M) . 

Then,  for  x  e  I,  we  have  Q(—B/A )  <  Q{x)  <  Q(—B/A  +  M).  Therefore  to 
minimize  the  absolute  value  of  Q(x)  we  ask  that  Q(—B/A )  «  — Q(—B/A+M ), 
which  is  equivalent  to  A2 M2  «  2 (B2  —  AC)  i.e.  to 

V*  OP -AO 

/I  ^  - - - 


and  we  will  have 

d2  _  A(~* 

max  |Q(x)|  « - — - «  M \] (B2  —AC)j2  . 

Since  we  want  this  to  be  as  small  as  possible,  but  still  have  N  \  B2  —  AC,  we 
will  choose  A,  B  and  C  such  that  B 2  —  AC  =  N  itself,  and  the  maximum  of 
|<2(£)|  wM  then  be  approximately  equal  to  MyjNf 2. 

This  is  of  the  same  order  of  magnitude  (in  fact  even  slightly  smaller) 
than  the  size  of  the  values  of  our  initial  polynomial  Q(x),  but  now  we  have 
the  added  freedom  to  change  polynomials  as  soon  as  the  size  of  the  residues 
become  too  large  for  our  taste. 

To  summarize,  we  first  choose  an  appropriate  sieving  length  M.  Then  we 
choose  A  close  to  v2 N /M  such  that  A  is  prime  and  0[)  =  1.  Using  Algorithm 
1.5.1  we  find  B  such  that  B2  =  N  (mod  A)  and  finally  we  set  C  =  \b2—N)/A. 

Now  as  in  the  ordinary  quadratic  sieve,  we  must  compute  for  each  prime 
power  pk  in  our  factor  base  the  values  apk  (Q)  and  bpk  (Q)  with  which  we  will 
initialize  our  sieve.  These  are  simply  the  roots  mod  pk  of  Q(a)  =  0.  Hence, 
since  the  discriminant  of  Q  has  been  chosen  equal  to  N,  they  are  equal  to 
{—B  +  apk)/A  and  {—B  +  bpk)/A ,  where  apk  and  bpk  denote  the  square  roots 
of  N  modulo  pk  which  should  be  computed  once  and  for  all.  The  division 
by  A  (which  is  the  only  time-consuming  part  of  the  operation)  is  understood 
modulo  pk . 

As  for  the  basic  quadratic  sieve,  heuristically  the  expected  running  time 
of  MPQS  is  0(L(N)1+0^),  as  for  the  class  group  method  and  ECM.  How¬ 
ever,  as  already  mentioned  above,  the  basic  operation  being  so  simple,  MPQS 
is  much  faster  than  these  other  methods  on  numbers  which  are  difficult  to 
factor  (numbers  equal  to  a  product  of  two  primes  having  the  same  order  of 
magnitude). 
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10.4.3  Improvements  to  the  MPQS  Algorithm 

The  detailed  aspects  of  the  implementation  of  the  MPQS  algorithm,  such  as 
the  choice  of  the  sieving  intervals,  the  size  of  the  factor  base  and  criteria  to 
switch  from  one  polynomial  to  the  next,  are  too  technical  to  be  given  here.  We 
refer  the  interested  reader  to  [Sill]  which  contains  all  the  necessary  information 
for  a  well  tuned  implementation  of  this  algorithm. 

A  number  of  improvements  can  however  be  mentioned.  We  have  already 
discussed  above  the  large  prime  variation.  Other  improvements  are  as  follows. 

(1)  One  improvement  is  the  double  large  prime  variation.  This  means  that  we 
allow  the  unfactored  part  of  the  residues  to  be  equal  not  -only  to  a  single 
prime,  but  also  to  a  product  of  two  primes  of  reasonable  size.  This  idea 
is  a  natural  one,  but  it  is  then  more  difficult  to  keep  track  of  the  true 
relations  that  are  obtained,  and  A.  Lenstra  and  M.  Manasse  have  found  a 
clever  way  of  doing  this.  I  refer  to  [LLMP]  for  details. 

(2)  A  second  improvement  is  the  small  prime  variation  which  is  as  follows. 
During  the  sieving  process,  the  small  primes  or  prime  powers  take  a  very 
long  time  to  process  since  about  1/p  numbers  are  divisible  by  p.  In  ad¬ 
dition,  their  contribution  to  the  logarithms  is  the  smallest.  So  we  do  not 
sieve  at  all  with  prime  powers  less  than  100,  say.  This  makes  it  necessary 
keep  numbers  whose  residual  logarithm  is  further  away  from  zero  than 
usual,  but  practice  shows  that  it  makes  little  difference.  The  main  thing 
is  to  avoid  missing  any  numbers  which  factor,  at  the  expense  of  having  a 
few  extra  which  do  not. 

(3)  A  third  improvement  is  the  self-initialization  procedure.  This  is  as  follows. 
We  could  try  changing  polynomials  extremely  often,  since  this  would  be 
the  best  chance  that  the  residues  stay  small,  hence  factor.  Unfortunately, 
as  we  have  mentioned  above,  each  time  the  polynomial  is  changed  we 
must  “reinitialize”  our  sieve,  i.e.  recompute  starting  values  apk(Q )  and 
bpk  ( Q )  for  each  pk  in  our  factor  base.  Although  all  the  polynomials  have 
the  same  discriminant  N  and  the  square  roots  have  been  precomputed  (so 
no  additional  square  root  computations  are  involved) ,  the  time-consuming 
part  is  to  invert  the  leading  coefficient  A  modulo  each  element  of  the  factor 
base.  This  prevents  us  from  changing  polynomial  too  often  since  otherwise 
this  would  dominate  the  running  time. 

The  self-initialization  procedure  deals  with  this  problem  by  choosing 
A  not  to  be  a  prime,  but  a  product  of  a  few  (say  10)  distinct  medium¬ 
sized  primes  p  such  that  (^)  =  1.  The  number  of  possible  values  for  B 
(hence  the  number  of  polynomials  with  leading  term  A)  is  equal  to  the 
number  of  solutions  of  B2  =  N  (mod  A),  and  this  is  equal  to  2t~1  if  t  is 
the  number  of  prime  factors  of  A  (see  Exercise  30  of  Chapter  1).  Hence 
this  procedure  essentially  divides  by  2t~1  most  of  the  work  which  must  be 
done  in  initializing  the  sieve. 
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10.5.1  Introduction 

We  now  come  to  the  most  recent  and  potentially  the  most  powerful  known 
factoring  method,  the  number  field  sieve  (NFS).  For  complete  details  I  refer  to 
[Len-Len2] .  The  basic  idea  is  the  same  as  in  the  quadratic  sieve:  by  a  sieving 
process  we  look  for  congruences  modulo  N  by  working  over  a  factor  base, 
and  then  we  do  a  Gaussian  elimination  over  Z/2Z  to  obtain  a  congruence  of 
squares,  hence  hopefully  a  factorization  of  N. 

Before  describing  in  detail  the  method,  we  will  comment  on  its  perfor¬ 
mance.  Prior  to  the  advent  of  the  NFS,  all  modern  factoring  methods  had 
an  expected  running  time  of  at  best  0(e^ln  N ln  ln  7V(1+°(1)) ) .  Because  of  the 
theorem  of  Canfield,  Erdos  and  Pomerance,  some  people  believed  that  this 
could  not  be  improved,  except  maybe  for  the  (1+  o(l)).  The  invention  by  Pol¬ 
lard  of  the  NFS  has  now  changed  this  belief,  since  under  reasonable  heuristic 
assumptions,  one  can  show  that  the  expected  running  time  of  the  NFS  is 


Q  ^e(lnN)^3(\nlnN)2^{C+o(l))^ 


for  a  small  constant  C  (an  admissible  value  is  C  =  (64/9) x/3  and  this  has  been 
slightly  lowered  by  Coppersmith).  This  is  asymptotically  considerably  better 
than  what  existed  before.  Unfortunately,  the  practical  situation  is  less  simple. 
First,  for  a  number  N  having  no  special  form,  it  seems  that  the  practical 
cutoff  point  with,  say,  the  MPQS  method,  is  for  quite  large  numbers,  maybe 
around  130  digits,  and  these  numbers  are  in  any  case  much  too  large  to  be 
factored  by  present  methods.  On  the  other  hand,  for  numbers  having  a  special 
form,  for  example  Mersenne  numbers  2P  —  1  or  Fermat  numbers  22  +1,  NFS 
can  be  considerably  simplified  (one  can  in  fact  decrease  the  constant  C  to 
C  =  (32/9)1/3),  and  stays  practical  for  values  of  N  up  to  120  digits.  In  fact, 
using  a  system  of  distributed  e-mail  computing,  and  the  equivalent  of  years 
of  CPU  time  on  small  workstations,  A.  K.  Lenstra  and  Manasse  succeeded  in 
1990  in  factoring  the  ninth  Fermat  number  Fg  =  2512  +  1,  which  is  a  number 
of  155  decimal  digits.  The  factors  have  respectively  7,  49  and  99  digits  and 
the  7-digit  factor  was  of  course  already  known.  Note  that  the  knowledge  of 
this  7-digit  factor  does  not  help  NFS  at  all  in  this  case. 

The  idea  of  the  number  field  sieve  is  as  follows.  We  choose  a  number  field 
K  =  Q(9)  for  some  algebraic  integer  6,  let  T(X)  €  Z[X]  be  the  minimal 
monic  polynomial  of  9,  and  let  d  be  the  degree  of  K.  Assume  that  we  know 
an  integer  m  such  that  T(m)  =  kN  for  a  small  integer  k.  Then  we  can  define 
a  ring  homomorphism  4>  from  Z[9\  to  Z/iVZ,  by  setting 

4>(9)  =  m  mod  N . 

This  homomorphism  can  be  extended  to  Z k  in  the  following  way.  Let  f  = 
\Lk  :  Z[#]]  be  the  index  of  Z \9]  in  Z k-  We  may  assume  that  ( f,N)=  1 
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otherwise  we  have  found  a  non-trivial  factor  of  N.  Hence  /  is  invertible  modulo 
N,  and  if  u  €  Z  is  an  inverse  of  /  modulo  N ,  for  all  a  E  Z k  we  can  set 
<f>(a)  =  u<f)(fa )  since  fa  E  Z [9]. 

We  can  use  0  as  follows.  To  take  the  simplest  example,  if  we  can  find 
integers  a  and  b  such  that  a  4-  bm  is  a  square  (in  Z),  and  also  such  that  a  +  bQ 
is  a  square  (in  Z k),  then  we  may  have  factored  N:  write  a  +  bm  =  x 2 ,  and 
a  4-  b9  =  f32.  Since  <f>  is  a  ring  homomorphism,  <t>(a  +  b6)  =  a  +  bm  =  y2 
(mod  N )  where  we  have  set  y  (mod  N)  =  <f>((3),  hence  x2  =  y2  (mod  IV), 
so  (x  —  y,N )  may  be  a  non-trivial  divisor  of  N.  Of  course,  in  practice  it 
will  be  impossible  to  obtain  such  integers  a  and  b  directly,  but  we  can  use 
techniques  similar  to  those  which  we  used  in  the  continued  fraction  or  in  the 
quadratic  sieve  method,  i.e.  factor  bases.  Here  however  the  situation  is  more 
complicated.  We  can  take  a  factor  base  consisting  of  primes  less  than  a  given 
bound  for  the  a  4-  bm  numbers.  But  for  the  a  +  bQ ,  we  must  take  prime  ideals 
of  Z k-  In  general,  if  K  is  a  number  field  with  large  discriminant,  this  will  be 
quite  painful.  This  is  the  basic  distinction  between  the  general  number  field 
sieve  and  the  special  one:  if  we  can  take  for  K  a  simple  number  field  (i.e.  one 
for  which  we  know  everything:  units,  class  number,  generators  of  small  prime 
ideals,  etc  . . .  )  then  we  are  in  the  special  case. 

We  will  start  by  describing  the  simplest  case  of  NFS,  which  can  be  applied 
only  to  quite  special  numbers,  and  in  the  following  section  we  will  explain  what 
must  be  done  to  treat  numbers  of  a  general  form. 


10.5.2  Description  of  the  Special  NFS  when  h(K)  =  1 

In  this  section  we  not  only  assume  that  K  is  a  simple  number  field  in  the  sense 
explained  above,  but  in  addition  that  1L>k  has  class  number  equal  to  1  (we  will 
see  in  the  next  section  what  must  be  done  if  this  condition  is  not  satisfied). 
Let  a  E  Z k  and  write 

a2.K  =  Y[p  T, 

i 

where  we  assume  that  for  all  i,  Vi  >  0.  We  will  say  that  a  is  H-smooth  if 
ff K/Q{a)  Is  H-smooth,  or  in  other  words  if  all  the  primes  below  pj  are  less 
than  or  equal  to  B.  Since  Z#-  has  class  number  equal  to  1,  we  can  write 

a = n  “Au  n  s'**- 

ueu  geG 

where  U  is  a  generating  set  of  the  group  of  units  of  K  (i.e.  a  system  of 
fundamental  units  plus  a  generator  of  the  subgroup  of  roots  of  unity  in  K ), 
and  G  is  a  set  of  Z^-generators  for  the  prime  ideals  p  above  a  prime  p  <  B 
(since  the  ideals  p  are  principal). 

If  a  lift  of  <j)(a)  to  Z  is  also  jB-smooth  (in  practice  we  always  take  the  lift 
in  [— N/2,  N/2])  then  we  have 
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<i>(a) = n  pvp 

P<B 


hence  the  congruence 

n  n  = n  pvp  (m°d 

u€U  g£G 

If  V  is  the  set  of  primes  less  than  or  equal  to  B,  then  as  in  the  quadratic  sieve 
and  similar  algorithms,  if  we  succeed  in  finding  more  than  \U\  4-  |G|  +  [P\  such 
congruences,  we  can  factor  N  by  doing  Gaussian  elimination  over  Z/2Z. 

By  definition  an  HNF  basis  of  TLK  is  of  the  form  (1  ,(u9  4-  v)/w,...). 
Replacing,  if  necessary,  9  by  (u6  +  v)/w,  without  loss  of  generality  we  may 
assume  that  there  exists  an  HNF  basis  of  Z k  of  the  form  (wi,u;2,^3,  •  •  • 
where  =  1 ,  U2  =  9  and  u>i  is  of  degree  exactly  equal  to  i  —  1  in  9.  We  will 
say  in  this  case  that  9  is  primitive. 

This  being  done,  we  will  in  practice  choose  a  to  be  of  the  form  a  +  b9  with 
a  and  b  in  Z  and  coprime.  We  have  the  following  lemma. 

Lemma  10.5.1.  If  a  and  b  are  coprime  integers,  then  any  prime  ideal  p  which 
divides  a  +  b9,  either  divides  the  index  f  =  [Z^-  :  Z[0]]  or  is  of  degree  1. 

Proof  Let  p  be  the  prime  number  below  p.  Then  p  \  b  otherwise  a  G  p  n  Z 
hence  p  |  a,  contradicting  a  and  6  being  coprime.  Now  assume  that  p  \  /, 
and  let  b~1  be  an  inverse  of  b  modulo  p  and  u  be  an  inverse  of  /  modulo  p. 
We  have  9  =  —ab~l  (mod  p).  Hence,  if  x  €  Z^,  fx  e  Z [9\  so  there  exists  a 
polynomial  P  €  Z[X]  such  that  x  =  uP(—ab~1)  (mod  p)  so  any  element  of 
Z k  is  congruent  to  a  rational  integer  modulo  p,  hence  to  an  element  of  the 
set  {0, 1, ...  ,p  —  1},  thus  proving  the  lemma.  □ 

Let  d  =  deg(T)  be  the  degree  of  the  number  field  K.  By  Theorem  4.8.13, 
prime  ideals  of  degree  1  dividing  a  prime  number  p  not  dividing  the  index 
correspond  to  linear  factors  of  T(X )  modulo  p,  i.e.  to  roots  of  T(X)  in  Fp. 
These  can  be  found  very  simply  by  using  Algorithm  1.6.1. 

For  any  root  cp  €  {0, 1, ...  ,p  —  1}  of  T(X)  modulo  p,  we  thus  have  the 
corresponding  prime  ideal  of  degree  1  above  p  generated  over  Z k  by  ( p,9—cv ). 
Now  when  we  factor  numbers  a  of  the  form  a  +  b9  with  (a,  6)  =  1,  we  will  need 
to  know  the  p-adic  valuation  of  a  for  all  prime  ideals  p  such  that  a  G  p.  But 
clearly,  if  p  does  not  divide  /,  then  a  e  p  if  and  only  if  p  \  a  4-  bcp,  and  if  this 
is  the  case  then  a  does  not  belong  to  any  other  prime  above  p  since  the  Cp  are 
distinct.  Hence,  if  p  |  a  +  bcp,  the  p-adic  valuation  of  a  (with  p  =  (p,  9  —  Cp)) 
is  equal  to  the  p-adic  valuation  of  Af(a)  which  is  simple  to  compute. 

For  p  |  /,  we  can  use  an  HNF  basis  of  p  with  respect  to  9 ,  where 
we  may  assume  that  9  is  primitive.  This  basis  will  then  be  of  the  form 
(p,  — Cp  +  y9, 72, . . .  ,7d-i)  where  cp  and  y  are  integers  with  y  |  p  and  the 
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7 i  are  polynomials  of  degree  exactly  i  in  8  (not  necessarily  with  integral  coef¬ 
ficients).  It  is  clear  that  a  +  bO  €  p  if  and  only  if  y  \  b  and  a  =  —bcp/y  (mod  p). 
But  p  |  6  is  impossible  since  as  before  it  would  imply  p  \  a  hence  a  and  6  would 
not  be  coprime.  It  follows  that  we  must  have  y  =  1.  Hence,  a  G  p  if  and  only  if 
p  |  a  +  bcp.  Furthermore,  8  —  cpE  p  implies  clearly  that  T{cp)  =  0  (mod  p),  i.e. 
that  cp  is  a  root  of  T  modulo  p.  The  condition  is  therefore  exactly  the  same  as 
in  the  case  p  \  /.  Note  however  that  now  there  may  be  several  prime  ideals  p 
with  the  same  value  of  cp,  so  in  that  case  the  p-adic  valuation  of  a  should  be 
computed  using  for  example  Algorithm  4.8.17.  (Since  this  will  be  done  only 
when  we  know  that  a  and  <f>(a)  are  B-smooth,  it  does  not  matter  in  practice 
that  Algorithm  4.8.17  takes  longer  than  the  computation  of  vp(Af(a)).) 

Thus,  we  will  compute  once  and  for  all  the  roots  cp  of  the  polynomial 
T(X )  modulo  each  prime  p  <  B,  and  the  constants  (3P  {(3  in  the  notation  of 
Algorithm  4.8.17)  necessary  to  apply  directly  step  3  of  Algorithm  4.8.17  for 
each  prime  ideal  p  dividing  the  index.  It  is  then  easy  to  factor  a  =  a  +  b6  into 
prime  ideals  els  explained  above.  Note  that  in  the  present  situation,  it  is  not 
necessary  to  split  completely  the  polynomial  T(X )  modulo  p  using  one  of  the 
methods  explained  in  Chapter  3,  but  only  to  find  its  roots  modulo  p,  and  in 
that  case  Algorithm  1.6.1  is  much  faster. 

We  must  however  do  more,  that  is  we  need  to  factor  a  into  prime  elements 
and  units.  This  is  more  delicate. 

First,  we  will  need  to  find  explicit  generators  of  the  prime  ideals  in  our 
factor  base  (recall  that  we  have  assumed  that  7Lk  —  is  a  PID).  This 
can  be  done  by  computing  norms  of  a  large  number  of  elements  of  7Lk  which 
can  be  expressed  els  polynomials  in  8  with  small  coefficients,  and  combining 
the  norms  to  get  the  desired  prime  numbers.  This  operation  is  quite  time 
consuming,  and  can  be  transformed  into  a  probabilistic  algorithm,  for  which 
we  refer  to  [LLMP] .  This  part  is  the  essential  difference  with  the  general  NFS 
since  in  the  general  CEise  it  will  be  impossible  in  practice  to  find  generators 
of  principal  ideEils.  (The  fact  that  TLk  is  not  a  PID  in  general  also  introduces 
difficulties,  but  which  are  less  important.) 

Second,  we  also  need  generators  for  the  group  of  units.  This  can  be  done 
during  the  search  for  generators  of  prime  ideals.  We  find  in  this  way  a  gener¬ 
ating  system  for  the  units,  and  the  use  of  the  complex  logarithmic  embedding 
allows  us  to  extract  a  multiplicative  basis  for  the  units  as  in  Algorithm  6.5.9. 

Choosing  a  fELctor  base  limit  B,  we  will  take  as  factor  base  for  the  numbers 
a  +  bm  the  primes  p  such  that  p  <  B,  and  els  factor  base  for  the  numbers  a +b0 
we  will  take  a  system  G  of  non-associate  prime  elements  of  Z k  whose  norm 
is  either  equal  to  ±p,  where  p  is  a  prime  such  that  p  <  B  and  p  \  /,  or  equal 
to  ±pk  for  some  k  if  p  <  B  and  p  \  f,  plus  a  generating  system  of  the  group 
of  units  of  Z  k- 

We  have  seen  that  a  G  p  if  and  only  if  p  |  a  +  bcp  which  is  a  linear 
congruence  for  a  and  b.  Hence,  we  can  sieve  using  essentially  the  same  sieving 
procedure  as  the  one  that  we  have  described  for  the  quadratic  sieve. 
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1)  By  sieving  on  small  primes,  eliminate  pairs  (a,  b)  divisible  by  a  small 
prime.  (We  will  therefore  keep  a  few  pairs  with  ( a,b )  >  1,  but  this  will  not 
slow  down  the  procedure  in  any  significant  way.) 

2)  Initialize  the  entries  in  the  sieving  interval  to  a  crude  approximation  to 
ln(a  +  mb). 

3)  First  sieve:  for  every  pk  <  B,  subtract  Inp  from  the  entries  where 
pk  |  a  +  mb  by  sieving  modulo  p,  p2,  ... 

4)  Set  a  flag  on  all  the  entries  which  are  still  large  (i.e.  which  are  not 
jB-smooth),  and  initialize  the  other  entries  with  ln(A f(a  +  bd)). 

5)  Second  sieve:  for  every  pair  (p,  cp),  subtract  Inp  from  the  unflagged 
entries  for  which  p  \  a  +  bcp.  Note  that  we  cannot  sieve  modulo  p2,  ... 

6)  For  each  entry  which  is  smaller  than  2  In  B  (say),  check  whether  the 
corresponding  A f(a  +  b9)  is  indeed  smooth  and  in  that  case  compute  the  com¬ 
plete  factorization  of  a  +  b9  on  G  U  U.  Note  that  since  we  have  not  sieved  with 
powers  of  prime  ideals,  we  must  check  some  entries  which  are  larger  than  In  B. 

In  practice,  the  factorization  of  a+b0  is  obtained  as  follows.  Since  A f(a+b9) 
is  smooth  we  know  that  Af(a  +  b9)  =  II p<BPVp-  We  can  obtain  the  element 
relations  as  follows.  If  only  one  prime  ideal  p  above  p  corresponds  to  a  given  cp 
(this  is  always  true  if  p  \  /),  then  if  we  let  d  be  the  degree  of  p  (1  if  p  f  /),  the 
p-adic  valuation  of  a  +  bd  is  vp/d,  and  the  p'-adic  valuation  is  zero  for  every 
other  prime  ideal  above  p.  If  several  prime  ideals  correspond  to  the  same  cp 
(this  is  possible  only  in  the  case  p  |  /),  then  we  use  Algorithm  4.8.17  to 
compute  the  p-adic  valuations.  As  already  mentioned,  this  will  be  done  quite 
rarely  and  does  not  really  increase  the  running  time  which  is  mainly  spent  in 
the  sieving  process.  Using  the  set  G  of  explicit  generators  of  our  prime  ideals, 
we  thus  obtain  a  decomposition 

a  +  b9  =  u  g^9 

g£G 

where  u  is  a  unit.  If  (ui, . . . ,  ur)  is  a  system  of  fundamental  units  of  K  and  £ 
is  a  generator  of  the  group  of  roots  of  unity  in  K ,  we  now  want  to  write 


*=c«IR- 

i=i 

To  achieve  this,  we  can  use  the  logarithmic  embedding  L  (see  Definition  4.9.6) 
and  compute  L(a+bd)—^2g£G  pgL(g).  This  will  lie  in  the  hyperplane  ^  Xi  =  0 
of  Rri+r2,  and  by  Dirichlet’s  theorem,  the  L(ui)  form  a  basis  of  this  hyper¬ 
plane,  hence  we  can  find  the  n*  for  i  >  1  by  solving  a  linear  system  (over 
R,  but  we  know  that  the  solution  is  integral).  Finally,  no  can  be  obtained  by 
comparing  arguments  of  complex  numbers  (or  even  more  simply  by  comparing 
signs  if  everything  is  real,  which  can  be  assumed  if  d  is  odd). 
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10.5.3  Description  of  the  Special  NFS  when  h{K )  >  1 

In  this  section,  we  briefly  explain  what  modifications  should  be  made  to  the 
above  method  in  the  case  h(K)  >  1,  hence  when  Z#  is  not  a  PID. 

In  this  case  we  do  not  try  to  find  generators  of  the  prime  ideals,  but 
we  look  as  before  for  algebraic  integers  (not  necessarily  of  the  form  a  +  b6) 
with  small  coordinates  in  an  integral  basis,  having  a  very  smooth  norm.  More 
precisely,  let  pi,  p2,  •  •  •  be  the  prime  ideals  of  norm  less  than  or  equal  to  B 
ordered  by  increasing  norm.  We  first  look  for  an  algebraic  integer  a±  whose 
decomposition  gives  o,{Lk  =  p*1,1  where  ki,i  is  minimal  and  hence  is  equal  to 
the  order  of  pi  in  Cl(K).  Then  we  look  for  another  algebraic  integer  a,2  such 
that  a2%K  =  Pi1,2p22’2  where  £2,2  is  minimal  and  hence  is  equal  to  the  order  of 
p2  in  Cl(K)/  <  pi  >.  We  may  also  assume  that  <  kit  1.  We  proceed  in  this 
way  for  each  pi  of  norm  less  than  or  equal  to  B,  and  thus  we  have  constructed 
an  upper  triangular  matrix  M  whose  rows  correspond  to  the  prime  ideals  and 
whose  columns  correspond  to  the  numbers  a*.  With  high  probability  we  have 
h(K)  =  n»  but  it  does  not  matter  if  this  is  not  the  case. 

We  can  now  replace  the  set  G  of  generators  of  the  pi  which  was  used  in 
the  case  h(K)  =  1  by  the  set  of  numbers  at  in  the  following  way. 

Assume  that  a  is  H-smooth  and  that  aZj^=  Jli  Pi*-  Let  V  be  the  column 
vector  whose  components  are  the  V{.  It  is  clear  that  oLk  =  I o^3TLk  where 
the  fij  are  the  components  of  the  vector  M~lV  which  are  integers  by  con¬ 
struction  of  the  matrix  M.  Hence  a  =  u  of^3  where  u  is  a  unit,  and  we  can 
proceed  as  before.  Note  that  since  M  is  an  upper  triangular  matrix  it  is  easy 
to  compute  M~lV  by  induction. 

An  Example  of  the  Special  NFS.  Assume  that  N  is  of  the  form  re  —  s , 
where  r  and  s  are  small.  Choose  a  suitable  degree  d  (d  =  5  is  optimal  for 

numbers  having  70  digits  or  more),  and  set  k  =  4 1  •  Consider  the  polynomial 

d  I 


T(X)  =  Xd  -srkd~e. 


Since  0  <  kd  —  e  <  d  and  s  and  r  are  small,  so  is  srkd~e .  If  we  choose 
m  =  rk,  it  is  clear  that  T(m)  =  rkd~eN  is  a  small  multiple  of  N.  If  T  is  an 
irreducible  polynomial,  we  will  work  in  the  number  field  K  of  degree  d  defined 
by  T.  (If  T  is  reducible,  which  almost  never  happens,  we  usually  obtain  a  non¬ 
trivial  factorization  of  N  from  a  non-trivial  factorization  of  T.)  Since  typically 
d  =  5,  and  srkd~e  is  small,  A  is  a  simple  field,  i.e.  it  will  not  be  difficult  to 
find  generators  for  ideals  of  small  norm,  the  class  number  and  a  generating 
system  for  the  group  of  units. 

As  mentioned  above,  the  first  success  of  the  special  NFS  was  obtained  by 
[LLMP]  with  the  ninth  Fermat  number  N  =  2512  +  1  which  is  of  the  above 
form.  They  chose  d  =  5,  hence  k  =  103  and  T(X)  =  X5  +  8,  thus  K  =  Q(21/,s) 
which  happens  to  be  a  field  with  class  number  equal  to  1. 
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10.5.4  Description  of  the  General  NFS 

The  initial  ideas  of  the  general  NFS  are  due  to  Buhler  and  Pomerance  (see 
[BLP]).  We  do  not  assume  anymore  that  K  is  a  simple  field.  Hence  it  is  out 
of  the  question  to  compute  explicit  generators  for  prime  ideals  of  small  norm, 
a  system  of  fundamental  units,  etc  . . .  Hence,  we  must  work  with  ideals  (and 
not  with  algebraic  numbers)  as  long  as  possible. 

So  we  proceed  as  before,  but  instead  of  keeping  relations  between  elements 
(which  is  not  possible  anymore),  we  keep  relations  between  the  prime  ideals 
themselves.  As  usual  in  our  factor  base  we  take  the  prime  ideals  of  degree  1 
whose  norm  is  less  than  or  equal  to  B  and  the  prime  ideals  of  norm  less  than 
or  equal  to  B  which  divide  the  index  /;  since  the  index  may  not  be  easy  to 
compute,  we  can  use  instead  the  prime  ideals  above  primes  p  <  B  such  that 
p2  divides  the  discriminant  of  the  polynomial  T). 

After  the  usual  Gaussian  elimination  step  over  Z/2Z,  we  will  obtain  alge¬ 
braic  numbers  of  the  form 


y  =  JJ(a  +  b0)£a'b 

where  without  loss  of  generality  we  may  assume  that  ea^  =  0  or  1,  such  that 

<j>(y)  =  pVp  (i.e.  <f>(y)  is  B-smooth),  and 
p<B 


y^K  =  np2v’’ 

p 

this  last  product  being  over  the  prime  ideals  of  our  factor  base.  Although  the 
principal  ideal  yZ#  is  equal  to  the  square  of  an  ideal,  this  does  not  imply  that 
it  is  equal  to  the  square  of  a  principal  ideal.  Fortunately,  this  difficulty  can 
easily  be  overcome  by  using  a  trick  due  to  L.  Adleman  (see  [Adi]). 

Let  us  say  that  a  non-zero  algebraic  number  y  e  K  is  singular  if  yI>K  is 
the  square  of  a  fractional  ideal.  Let  S  be  the  multiplicative  group  of  singular 
numbers.  If  U ( K )  is  the  group  of  units  of  K,  it  is  easy  to  check  that  we  have 
an  exact  sequence 

1  — *•  U(K)/U(K)2  — ►  S/K*2  — ►  Cl(K){  2]  — ►  1, 

where  for  any  Abelian  group  G,  G[ 2]  is  the  subgroup  of  elements  of  G  whose 
square  is  equal  to  the  identity  (see  Exercise  9).  This  exact  sequence  can  be 
considered  as  an  exact  sequence  of  vector  spaces  over  F2  =  Z/2Z.  Furthermore, 
using  Dirichlet’s  Theorem  4.9.5  and  the  parity  of  the  number  w(K)  of  roots 
of  unity  in  K ,  it  is  clear  that 

dimF2  U(K)/U(K)2  =  r,  +  r2. 

For  any  finite  Abelian  group  G,  the  exact  sequence 
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1  — ►  G[ 2]  — >  G — ►  G  — ►  G/G2  — ►  1, 
where  the  map  from  G  to  G  is  squaring,  shows  that  |(?[2]|  =  \G/G2\  hence 

dimF2  C?[ 2]  =  rk2{G), 

where  the  2-rank  rk2(G )  of  G  is  by  definition  equal  to  dimp2  G/G2  (and  also 
to  the  number  of  even  factors  in  the  decomposition  of  G  into  a  direct  product 
of  cyclic  factors).  Putting  all  this  together,  we  obtain 

dimw2(S/K*2)  =n  +  r2+  rk2(Cl(K)). 

Hence,  if  we  obtain  more  than  e  =  ri+r2+rk2(Cl(K))  singular  numbers  which 
are  algebraic  integers,  a  suitable  multiplicative  combination  with  coefficients 
0  or  1  will  give  an  element  of  Z k  n  K*2,  i.e.  a  square  of  Z#,  as  in  the  special 
NFS,  hence  a  true  relation  of  the  form  we  are  looking  for.  Since  e  is  very  small, 
this  simply  means  that  instead  of  stopping  at  the  first  singular  integer  that  we 
find,  we  wait  till  we  have  at  least  e  +  1  more  relations  than  the  cardinality  of 
our  factor  base.  Note  that  it  is  not  necessary  (and  in  practice  not  possible)  to 
compute  rk2(Cl(K)).  Any  guess  is  sufficient,  since  afterwards  we  will  have  to 
check  that  we  indeed  obtain  a  square  with  a  suitable  combination,  and  if  we 
do  not  obtain  a  square,  this  simply  means  that  our  guess  is  not  large  enough. 

To  find  a  suitable  combination,  following  Adleman  we  proceed  as  follows. 
Choose  a  number  r  of  prime  ideals  p  which  do  not  belong  to  our  factor  base.  A 
reasonable  choice  is  r  =  3e,  where  e  can  (and  must)  be  replaced  by  a  suitable 
upper  bound.  For  example,  we  can  choose  for  p  ideals  of  degree  1  above  primes 
which  are  larger  than  B.  Then  p  =  (p,  9  —  cv).  We  could  also  choose  prime 
ideals  of  degree  larger  than  1  above  primes  (not  dividing  the  index)  less  than 
B. 

Whatever  choice  is  made,  the  idea  is  then  to  compute  a  generalized  Leg¬ 
endre  symbol  (a~^---)  (see  Exercise  19  of  Chapter  4)  for  every  a  +  bO  which  is 
kept  after  the  sieving  process.  Hence  each  relation  will  be  stored  as  a  vector 
over  Z/2Z  with  |E|  +  \V\  +  r  components,  where  E  is  the  set  of  prime  ideals 
in  our  factor  base.  As  soon  as  we  have  more  relations  than  components,  by 
Gaussian  elimination  over  Z/2Z  we  can  find  an  algebraic  number  x  which  is 
a  singular  integer  and  which  is  a  quadratic  residue  modulo  our  r  extra  primes 
p.  It  follows  that  x  is  quite  likely  a  square. 

Assuming  this  to  be  the  case,  one  of  the  most  difficult  problems  of  the 
general  number  field  sieve,  which  is  not  yet  satisfactorily  solved  at  the  time  of 
this  writing,  is  the  problem  of  finding  an  algorithm  to  compute  a  square  root 
y  of  x.  Note  that  in  practice  x  will  be  a  product  of  thousands  of  a  +  b9,  hence 
will  be  an  algebraic  number  with  coefficients  (as  polynomials  in  6 ,  say)  having 
several  hundred  thousand  decimal  digits.  Although  feasible  in  principle,  it 
does  not  seem  that  the  explicit  computation  of  a:  as  a  polynomial  in  9  will  be 
of  much  help  because  of  the  size  of  the  coefficients  involved.  Similarly  for  any 
other  practical  representation  of  x,  for  example  by  its  minimal  polynomial. 
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Let  us  forget  this  practical  difficulty  for  the  moment.  We  would  like  an 
algorithm  which,  given  an  algebraic  integer  x  of  degree  d,  either  finds  y  G  Q[x] 
such  that  y2  =  x,  or  says  that  such  a  y  does  not  exist.  A  simple-minded 
algorithm  to  achieve  this  is  as  follows. 

Algorithm  10.5.2  (Square  Root  in  a  Number  Field).  Given  an  algebraic  in¬ 
teger  x  by  its  minimal  monic  polynomial  A(X)  G  Z[X]  of  degree  d,  this  algorithm 
finds  a  y  such  that  y2  =  x  and  y  G  Q[x],  or  says  that  such  a  y  does  not  exist. 
(If  x  is  given  in  some  other  way  than  by  its  minimal  polynomial,  compute  the 
minimal  polynomial  first.)  We  let  K  =  Q[x]. 

1.  [Factor  A(X2)]  Factor  the  polynomial  A(X2)  in  Z[X],  If  A(X2)  is  irreducible, 
then  y  does  not  exist  and  terminate  the  algorithm.  Otherwise,  let  A(X2)  = 
±S(X)S(—X)  for  some  monic  polynomial  S  G  Z[X]  of  degree  d  be  the 
factorization  of  A(X2)  (it  is  necessarily  of  this  form  with  S  irreducible,  see 
Exercise  10). 

2.  [Reduce  to  degree  1]  Let  S(X)  =  (X2  —  x)Q(X)  +  R(X)  be  the  Euclidean 
division  of  S(X)  by  X2  -  x  in  K[X]. 

3.  [Output  result]  Write  R(X)  =  aX  +  6  with  a  and  b  in  K  and  a  ^  0.  Output 

y  < - b/a  and  terminate  the  algorithm. 

The  proof  of  the  validity  of  this  algorithm  is  easy  and  left  to  the  reader 
(Exercise  10). 

Unfortunately,  in  our  case,  simply  computing  the  polynomial  A(X)  is  al¬ 
ready  not  easy,  and  factoring  A(X2)  will  be  even  more  difficult  (although  it 
will  be  a  polynomial  of  degree  10  for  example,  but  with  coefficients  having 
several  hundred  thousand  digits).  So  a  new  idea  is  needed  at  this  point.  For 
example,  H.  W.  Lenstra  has  suggested  looking  for  y  of  the  form  y  =  n(a+60)> 
the  product  being  over  coprime  pairs  (a,  b)  such  that  a  +  b9  is  smooth,  but 
not  necessarily  a  +  6m.  This  has  the  advantage  that  many  more  pairs  (a,  6) 
are  available,  and  also  leads  to  a  linear  system  over  Z/2Z.  Future  work  will 
tell  whether  this  method  or  similar  ones  are  sufficiently  practical. 


10.5.5  Miscellaneous  Improvements  to  the  Number  Field  Sieve 

Several  improvements  have  been  suggested  to  improve  the  (theoretical  as  well 
as  practical)  performance  of  NFS.  Most  of  the  work  has  been  done  on  the 
general  NFS,  since  the  special  NFS  seems  to  be  in  a  satisfactory  state.  We 
mention  only  two,  since  lots  of  work  is  being  done  on  this  subject. 

The  most  important  choice  in  the  general  NFS  is  the  choice  of  the  number 
field  K ,  i.e.  of  the  polynomial  T  G  Z[X]  such  that  T(m )  =  kN  for  some  small 
integer  k.  Choosing  a  fixed  degree  d  (as  already  mentioned,  d  =  5  is  optimal 
for  numbers  having  more  than  60  or  70  digits),  we  choose  m  =  If 

N  =  md+  ad-\md~l  -\ - 1-  ao  is  the  base  m  expansion  of  N  (with  0  <a,i<  m), 

we  can  choose 
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T(X)  =  Xd  +  ad-iXd~l  +  •  •  •  +  a0. 

It  is  however  not  necessary  to  take  the  base  m  expansion  of  N  in  the  strictest 
sense,  since  any  base  m  expansion  of  N  whose  coefficients  are  at  most  of 
the  order  of  m  is  suitable.  In  addition,  we  can  choose  to  expand  some  small 
multiple  kN  of  N  instead  of  N  itself.  This  gives  us  additional  freedom. 

Another  idea  is  to  use  m  =  |’jV1/(d+1)]  instead  of  .  The  base  m 

expansion  of  N  is  then  of  the  form  N  =  admd  +  ad~imd~l  +  ■  •  •  +  oo  with  ad 
not  necessarily  equal  to  1,  but  still  less  than  m.  We  take  as  before 

T(X)  =  adXd  +  aj^X*-1  +  ■  •  •  +  a0, 

and  if  0  is  a  root  of  T,  then  0  is  not  an  algebraic  integer  if  ad  >  1.  We  can  now 
use  Exercise  15  of  Chapter  4  which  tells  us  that  ad9,  ad92  +  ad-\9 ,  . . .  are 
algebraic  integers.  The  map  0  is  defined  as  usual  by  0(0)  =  m  and  extended  to 
polynomials  in  9  with  integer  coefficients.  In  particular,  if  a  and  6  are  integers, 
ad(a+  b9 )  is  an  algebraic  integer  and 

<i){ad{a  +  b9 ))  =  ad(a  +  mb) 

is  always  divisible  by  ad-  Also, 


M{ad{a  +  60))  =  (— l)da^-16dT(— a/6) 

with  bdT(—a/b )  G  Z.  We  then  proceed  as  before,  but  using  numbers  of  the 
form  ad{a  +  60)  with  a  and  6  coprime,  instead  of  simply  a  +  b9. 

To  get  rid  of  ad  in  the  final  relations,  it  is  not  necessary  to  include  the 
prime  factors  of  ad  in  the  factor  base,  but  simply  to  take  an  even  number  of 
factors  in  each  relation. 

A  second  type  of  improvement,  studied  by  D.  Coppersmith,  is  to  use  sev¬ 
eral  number  fields  K.  This  leads  to  an  improvement  of  the  constant  in  the 
exponent  of  the  running  time  of  NFS,  but  its  practicality  has  not  yet  been 
tested.  The  idea  is  a  little  similar  to  the  use  of  several  polynomials  in  MPQS. 


10.6  Exercises  for  Chapter  10 

1.  Show  that  the  problem  of  computing  a  square  root  modulo  an  arbitrary  integer 
N  is  probabilistically  polynomial  time  equivalent  to  the  problem  of  factoring  N 
in  the  following  sense.  If  we  have  an  algorithm  for  one  of  the  problems,  then  we 
can  solve  the  other  in  probabilistic  polynomial  time. 

2.  Generalize  Algorithm  10.2.2  by  incorporating  a  second  stage  in  the  manner  of 
Algorithm  8.8.3. 

3.  Show  how  to  write  the  addition  law  on  an  elliptic  curve  modulo  N  given  by  a 
Weierstrafi  equation  using  projective  coordinates,  using  12  multiplications  mod¬ 
ulo  N,  or  13  for  the  double  of  a  point. 
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4.  By  using  a  Fermat  parametrization  of  an  elliptic  curve,  i.e.  a  projective  equation 
of  the  form  x3  +  ay3  =  bt3,  show  how  to  compute  the  addition  law  using  only  9 
multiplications  modulo  N,  or  10  for  the  double  of  a  point. 

5.  Let  B  and  k  be  large  integers,  and  let  ai ,  ...  be  a  randomly  chosen  sequence 
of  integers  less  than  B.  Give  an  estimate  of  the  average  number  of  pairs  (i,j) 
such  that  a,i  =  a,j.  You  may  assume  that  k  >  B1^2. 

6.  Let  n  be  fixed,  and  set  f(N)  =  |Pn(Z/iVZ)|. 

a)  Show  that  f(N j  =  g(N)/<j>(N)  where  <j>(N)  is  the  Euler  <j)  function, 
and  g(N)  is  the  number  of  n  +  1-uples  (xo,  ■ . .  ,xn)  €  (Z/7VZ)n+1  such  that 
gcd(#o, . . .  ,xn,N)  =  1. 

b)  Show  that  ]Cd| =  Nn+1. 

c)  Using  the  Mobius  inversion  formula  (see  [H-W]  Section  16.4),  prove  the 
formula  for  f(N )  given  in  the  text. 

7.  In  the  multiple  polynomial  version  of  the  quadratic  sieve  factoring  algorithm, 
we  have  aQ( x)  =  y2  (mod  N )  for  some  N,  and  not  Q(x)  itself.  Then  why  do  we 
take  into  account  in  the  explanation  the  maximum  of  |Q(x)|  and  not  of  |aQ(x)|? 

8.  Let  p  =  (p,  9  —  cp)  be  a  prime  ideal  of  degree  1  in  Z k,  where  K  —  Q(6).  If 
x  =  a  +  bd  €  Zk,  show  that  =  (a+pCp) ,  where  (j)  is  defined  in  Exercise  19 
of  Chapter  4. 

9.  Prove  that,  as  claimed  in  the  text,  if  S  is  the  group  of  singular  numbers,  the 
following  sequence  is  exact: 

1  — ►  U(K)/U{K)2  — ►  S/K*2  — ►  Cl(K)[2]  — ►  1, 

where  Cl(K)[2]  is  the  subgroup  of  elements  of  Cl(K )  whose  square  is  equal  to 
the  identity. 

10.  Let  A(X)  be  an  irreducible  monic  polynomial  in  Z[X]. 

a)  Show  that  either  A(X2)  is  irreducible  in  Z[X],  or  there  exists  an  irre¬ 
ducible  monic  polynomial  S  €  Z[Y]  such  that  A(X2)  =±S(X)S(—X). 

b)  Prove  the  validity  of  Algorithm  10.5.2. 

11.  For  any  finite  Abelian  group  G  and  n  >  1  show  that 

G[n]  ~  G/Gn 

(although  this  isomorphism  is  not  canonical  in  general) . 


Appendix  A 

Packages  for  Number  Theory 


There  exist  several  computer  packages  which  can  profitably  be  used  for 
number-theoretic  computations.  In  this  appendix,  I  will  briefly  describe  the 
advantages  and  disadvantages  of  some  of  these  systems. 

Most  general-purpose  symbolic  algebra  packages  have  been  written  pri¬ 
marily  for  applied  mathematicians,  engineers  and  physicists,  and  are  not  al¬ 
ways  well  suited  for  number  theory.  These  packages  roughly  fall  into  two 
categories.  In  the  first  category  one  finds  computer  algebra  systems  developed 
in  the  1970’s,  of  which  the  main  representatives  are  Macsyma  and  Reduce. 
Because  of  their  maturity,  these  systems  have  been  extensively  tested  and 
have  probably  less  bugs  than  more  recent  systems.  In  addition  they  are  very 
often  mathematically  more  robust.  In  the  second  category,  I  include  more 
recent  packages  developed  in  the  1980’s  of  which  the  most  common  are  Math- 
ematica,  by  Wolfram  Research,  Inc.,  Maple,  by  the  University  of  Waterloo, 
Canada,  and  more  recently  Axiom,  developed  by  IBM  and  commercialized 
by  NAG.  These  second-generation  systems  being  more  recent  have  more  bugs 
and  have  been  less  tested.  They  are  also  often  more  prone  to  mathematical 
errors.  On  the  other  hand  they  have  been  aggressively  commercialized  and  as 
a  consequence  have  become  more  popular.  However,  the  older  systems  have 
also  been  improved,  and  in  particular  recently  Macsyma  was  greatly  improved 
in  terms  of  speed,  user  friendliness  and  efficiency  and  now  compares  very  fa¬ 
vorably  to  more  recent  packages.  Mathematica  has  a  very  nice  user  interface, 
and  its  plotting  capabilities,  for  example  on  the  Macintosh,  are  superb.  Maple 
is  faster  and  often  simpler  to  use,  and  has  my  preference.  Axiom  is  a  monster 
(in  the  same  sense  that  ADA  is  a  monster  as  a  programming  language).  It 
certainly  has  a  large  potential  for  developing  powerful  applications,  but  I  do 
not  believe  that  there  is  the  need  for  such  power  (which  is  usually  obtained 
at  the  expense  of  speed)  for  everyday  (number-theoretic)  problems. 

Some  other  packages  were  specially  designed  for  small  machines  like  Per¬ 
sonal  Computers  (PC’s).  One  of  these  is  Derive,  which  is  issued  from  /u-Math, 
and  requires  only  half  a  megabyte  of  main  memory.  Derive  even  runs  on 
some  pocket  computers!  Another  system,  the  Calculus  Calculator  (CC),  is  a 
symbolic  manipulator  with  three-dimensional  graphics  and  matrix  operations 
which  also  runs  on  PC’s.  A  third  system,  Numbers,  is  a  shareware  calcula¬ 
tor  for  number  theory  that  runs  on  PC’s.  It  is  designed  to  compute  number 
theoretic  functions  for  positive  integers  up  to  150  decimal  digits  (modular 
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arithmetic,  primality  testing,  continued  and  Farey  fractions,  Fibonacci  and 
Lucas  numbers,  encryption  and  decryption). 

In  addition  to  commercial  packages,  free  software  systems  (which  are  not 
complete  symbolic  packages)  also  exist.  One  is  Ubasic,  written  by  Y.  Kida, 
which  is  a  math-oriented  high-precision  Basic  for  PC’s  (see  the  review  in  the 
Notices  of  the  AMS  of  March  1991).  Its  extensions  to  Basic  allow  it  to  handle 
integers  and  reals  of  several  thousand  digits,  as  well  as  fractions,  complex 
numbers  and  polynomials  in  one  variable.  Many  number-theoretic  functions 
are  included  in  Ubasic,  including  the  factoring  algorithm  MPQS.  Since  the 
package  is  written  in  assembly  language,  Ubasic  is  very  fast. 

Another  package,  closer  to  a  symbolic  package,  is  Pari,  written  by  the  au¬ 
thor  and  collaborators  (see  the  review  in  the  Notices  of  the  AMS  of  October 
1991).  This  package  can  be  used  on  Unix  workstations,  Macintosh,  Amiga, 
PC’s,  etc.  Its  kernel  is  also  written  in  assembler,  so  it  is  also  very  fast.  Fur¬ 
thermore,  it  has  been  specially  tailored  for  number-theoretic  computations.  In 
addition,  it  provides  tools  which  are  rarely  or  never  found  in  other  symbolic 
packages  such  as  the  direct  handling  of  concrete  mathematical  objects,  for 
example  p-adic  numbers,  algebraic  numbers  and  finite  fields,  etc  ...  It  also 
gives  mathematically  more  correct  results  than  many  packages  on  fundamen¬ 
tal  operations  (e.g.  subtraction  of  two  real  numbers  which  are  approximately 
equal). 

Source  is  included  in  the  package  so  it  is  easy  to  correct,  improve  and 
expand.  Essentially  all  of  the  algorithms  described  in  the  present  book  have 
been  implemented  in  Pari,  so  I  advise  the  reader  to  obtain  a  copy  of  it. 

Apart  from  those  general  computer  algebra  systems,  some  special-purpose 
systems  exist:  GAP,  Kant,  Magma,  Simath.  The  Magma  system  is  designed 
to  support  fast  computations  in  algebra  (groups,  modules,  rings,  polynomial 
rings  over  various  kinds  of  coefficient  domains),  number  theory  and  finite 
geometry.  It  includes  general  machinery  for  classical  number  theory  (for  ex¬ 
ample  the  ECM  program  of  A.K.  Lenstra),  finite  fields  and  cyclotomic  fields 
and  facilities  for  computing  in  a  general  algebraic  number  field.  It  will  even¬ 
tually  include  a  MPQS  factoring  algorithm,  a  Jacobi  sum-type  primality  test 
and  a  general  purpose  elliptic  curve  calculator.  According  to  the  developers, 
it  should  eventually  include  “just  about  all  of  the  algorithms  of  this  book” . 
GAP  (Groups,  Algorithms  and  Programming)  is  specially  designed  for  compu¬ 
tations  in  group  theory.  It  includes  some  facilities  for  doing  elementary  number 
theory,  in  particular  to  calculate  with  arbitrary  length  integers  and  rational 
numbers,  cyclotomic  fields  and  their  subfields,  and  finite  fields.  It  has  func¬ 
tions  for  integer  factorization  (based  on  elliptic  curves),  for  primality  testing, 
and  for  some  elementary  functions  from  number  theory  and  combinatorics.  Its 
programming  language  is  Maple-like.  Kant  (Komputational  Algebraic  Number 
Theory)  is  a  subroutine  package  for  algorithms  from  the  geometry  of  numbers 
and  algebraic  number  theory,  which  will  be  included  in  Magma.  Simath,  devel¬ 
oped  at  the  university  of  Saarbrucken,  is  another  system  for  number-theoretic 
computations  which  is  quite  fast  and  has  a  nice  user  interface  called  simcalc. 


A  Packages  for  Number  Theory 


509 


In  addition  to  specific  packages,  handling  of  multi-precision  numbers  or 
more  general  types  can  be  easily  achieved  with  several  languages,  Lisp,  C 
and  C++.  For  Lisp,  the  INRIA  implementation  LeLisp  (which  is  not  public 
domain)  contains  a  package  written  in  assembler  to  handle  large  numbers, 
and  hence  is  very  fast.  The  GNU  Calc  system  is  an  advanced  desk  calculator 
for  GNU  Emacs,  written  in  Emacs  Lisp.  An  excellent  public  domain  C++ 
compiler  can  be  obtained  from  the  Free  Software  Foundation,  and  its  library 
allows  to  use  multi-precision  numbers  or  other  types.  The  library  is  however 
written  in  C++  hence  is  slow ,  so  it  is  strongly  advised  to  write  a  library  in 
assembler  for  number-theoretic  uses.  Another  multi-precision  system  written 
in  C  is  the  desk  calculator  (Calc)  of  Hans-J.  Boehm  for  Unix  workstations.  Its 
particularity  is  to  handle  “constructive”  real  numbers,  that  is  to  remember  the 
best  known  approximation  to  a  number  already  computed.  For  PC’s,  Timothy 
C.  Frenz  has  developed  an  “infinite”  precision  calculator,  also  named  Calc. 

Finally,  a  few  free  packages  exist  which  have  been  specifically  written  for 
handling  multi-precision  integers  as  part  of  a  C  library  in  an  efficient  way.  In 
addition  to  Pari  mentioned  above,  there  is  the  Bignum  package  of  DEC  PRL 
(which  is  essentially  the  package  used  in  LeLisp  as  mentioned  above)  which 
can  be  obtained  by  sending  an  e-mail  message  to  librar ianQdecprl .  dec .  com, 
and  the  GNU  multi-precision  package  Gmp  which  can  be  obtained  by  anony¬ 
mous  ftp  from  prep .  ai .  mit .  edu,  the  standard  place  where  one  can  ftp  all 
the  GNU  software. 

Conclusions. 

My  personal  advice  (which  is  certainly  not  objective)  is  the  following.  If 
you  are  on  an  IBM-PC  286,  you  do  not  have  much  choice.  Obtain  Ubasic, 
Derive  or  the  Calculus  Calculator.  On  an  IBM-PC  386  or  more,  Maple,  Mac- 
syma,  Mathcad  (see  Maple  below)  and  Pari  are  also  available.  If  you  are  on 
a  MacII  or  on  a  Unix  workstation  then,  if  you  really  need  all  the  power  of  a 
symbolic  package,  buy  either  Maple  or  Mathematica,  my  preference  going  to 
Maple.  If  you  want  a  system  that  is  already  specialized  for  number  theoretic 
computations,  then  buy  Magma.  In  any  case,  as  a  complement  to  this  package, 
obtain  Pari. 

Where  to  obtain  these  packages. 

You  can  order  Maple  at  the  following  address:  Waterloo  Maple  Software, 
160  Columbia  St.  W.,  Waterloo,  Ontario,  Canada  N2L  3L3,  phone  (519)  747- 
2373,  fax  (519)  747-5284,  e-mail  wmsiQdaisy.waterloo.edu.  Maple  has  been 
ported  to  many  different  machines  and  it  is  highly  probable  that  it  has  been 
ported  to  the  machine  that  you  want.  There  is  also  a  system  named  Mathcad 
that  uses  some  parts  of  Maple  for  its  symbolic  manipulations;  Mathcad  runs 
under  Microsoft  Windows  and  is  published  by  MathSoft  Inc.,  201  Broadway, 
Cambridge,  Massachussets,  USA,  02139  Phone:  (617)  577-1017. 

You  can  order  Mathematica  from  Wolfram  Research,  Inc.  at  the  following 
address:  Wolfram  Research,  100  Trade  Center  Drive,  Champaign,  IL  61820, 
phone  800-441-Math,  fax  217-398-0747,  e-mail  infoQwri.com.  Mathematica 
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has  also  been  ported  to  quite  a  number  of  machines,  and  in  addition  you  can 
use  a  friendly  “front-end”  like  the  Macintosh  II  linked  to  a  more  powerful 
computer  (including  supercomputers)  which  will  do  the  actual  computations. 

Macsyma  exists  in  two  flavors  :  the  commercial  versions  (Macsyma,  AL- 
JABR,  ParaMacs)  are  licensed  from  MIT,  the  non-commercial  versions  (Vax- 
ima,  Maxima,  and  DOE-Macsyma)  officially  come  from  the  American  De¬ 
partment  of  Energy  (DOE).  All  these  versions  are  derived  from  the  Mac¬ 
syma  developed  by  the  Mathlab  Group  at  MIT.  The  commercial  version  runs 
on  PC  386,  Symbolics  computers,  VMS  machines  and  most  Unix  worksta¬ 
tions;  the  address  to  order  it  is:  Macsyma  Inc.,  20  Academy  Street,  Suite 
201,  Arlington  MA  02174-6436,  phone  (617)  646-4550  or  1-800-MACSYMA 
(free  from  the  U.S.),  fax  (617)  646-3161,  e-mail  info-macsymaQmacsyma.com. 
Vaxima  is  available  from  the  Energy  Science  and  Technology  Software  Cen¬ 
ter  (ESTSC),  P.O.  Box  1020,  Oak  Ridge,  Tennessee  37831,  phone  (615)  576- 
2606.  Maxima  is  a  Common  Lisp  version  maintained  by  William  Schelter 
(e-mail  wfsQmath.utexas.edu)  at  Texas  University.  Although  it  is  a  non¬ 
commercial  version,  one  must  get  a  license  from  the  Energy  Science  and 
Technology  Software  Center  (see  above)  to  use  it.  For  more  information,  get 
the  file  README .  MAXIMA  by  anonymous  ftp  on  rascal .  ics .  utexas .  edu.  Para- 
Macs,  is  available  from  Leo  Harten,  Paradigm  Associates,  Inc.,  29  Putnam 
Avenue,  Suite  6,  Cambridge,  MA  02139,  phone  (617)  492-6079,  fax  (617) 
876-8186,  e-mail  lphQparadigm.com.  ALJABR  is  available  from  Fort  Pond 
Research,  15  Fort  Pond  Road,  Acton,  MA  01720,  phone  508-263-9692,  e-mail 
aljabrQfpr.com.  It  runs  on  Macintosh,  Sun  and  SGI  computers. 

There  are  many  distributors  of  Reduce,  depending  on  the  machine  and 
version  of  Lisp  that  is  used.  The  main  one  is  Herbert  Melenk,  Konrad- 
Zuse-Zentrum  fur  Informationstechnik  Berlin  (ZIB),  Heilbronner  Str.  10, 
D  1000  Berlin  31,  Germany,  phone  30-89604-195,  fax  30-89604-125,  e-mail 
mel^nkQsc .zib-berlin.de.  You  will  get  detailed  informations  if  you  send  an 
electronic  message  with  send  info -package  as  subject  to 
reduce-netlibQrand . org. 

Axiom  on  IBM  RS/6000  is  distributed  by  NAG:  contact  the  Numerical 
Algorithms  Group  Ltd.,  Wilkinson  House,  Jordan  Hill  Rd.,  Oxford,  UK  OX2 
8DR,  phone  (0)-865-511245,  e-mail  nagtttQvax.oxford.ac.uk.  A  Sparc  ver¬ 
sion  is  also  available. 

Derive  is  available  from  Soft  Warehouse,  Inc.,  3615  Harding  Avenue,  Suite 
505,  Honolulu,  Hawaii  96816,  USA,  phone  (808)  734-5801,  fax  (808)  735-1105. 

You  can  obtain  Ubasic  by  anonymous  ftp  at  shape  .mps .  ohio-state .  edu 
or  wuarchive.wustl.edu.  Or  you  can  write  directly  to  Kida  at  the  follow¬ 
ing  address:  Prof.  Yuji  Kida,  Department  of  Mathematics,  Rikkyo  University, 
Nishi-Ikebukuro  3,  Tokyo  171,  JAPAN,  e-mail  kidaQrkmath.rikkyo.ac.jp. 

The  Calculus  Calculator  (CC)  is  developed  by  David  Meredith,  Depart¬ 
ment  of  Mathematics,  San  Francisco  State  University,  1600  Holloway  Avenue, 
San  Francisco,  CA  94132,  phone  (415)  338-2199.  Version  3  (CC3)  is  published 
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with  a  200  page  manual  by  Prentice  Hall,  phone  (201)  767-5937.  Version  4 
(CC4)  is  available  by  anonymous  ftp  from  wuarchive.wustl.edu. 

You  can  order  Magma  from  The  Secretary,  Computational  Algebra  Group, 
Pure  Mathematics,  University  of  Sydney,  NSW  2006,  Australia,  phone  (2)  692- 
3338,  fax  (2)  692-4534,  e-mail  magmaQmaths.su.oz.au.  It  runs  on  Sun,  HP, 
Apollo,  VAX/ VMS,  Convex  and  various  IBM  machines. 

GAP  is  available  free  of  charge  through  ftp  from  Aachen:  the  ordinary  mail 
address  is  Lehrstuhl  D  fur  Mathematik,  RWTH  Aachen,  Templergraben  64,  D- 
5100  Aachen,  Germany.  For  technical  questions,  contact  Martin  Schoenert  (e- 
mail  martinOmath.rwth-aachen.de),  and  for  more  general  questions,  contact 
Prof.  Joachim  Neubiiser  (e-mail  neubueserQmath.rwth-aachen.de). 

There  are  two  versions  of  Kant:  Kant  VI  is  written  in  Ansi-Fortran  77, 
while  Kant  V2  is  built  on  the  Magma  Platform  and  written  in  Ansi-C.  These 
two  versions  are  available  from  the  KANT  Group:  e-mail  to  pohstOmath.  tu- 
berlin.de  or  daberkowOmath.tu-berlin.de.  You  can  get  the  system  by 
anonymous  ftp  from  ftp  .math .  tu-berlin .  de,  directory  /pub/ algebra/Kant. 
Note  that  Kant  V2  is  now  also  part  of  the  Magma  package. 

You  can  obtain  Simath  by  anonymous  ftp  from  ftp.math.vmi-sb.de. 

Numbers  is  developed  by  Ivo  Diintsch,  Moorlandstr.  59,  W-4500  Os- 
nabriick,  phone  (541)  189-106,  fax  (541)  969-2470,  e-mail 
duentschOdosunil  .bitnet.  You  can  get  the  system  by  anonymous  ftp  from 
dione . rz . uni-osnabrueck . de. 

You  can  obtain  Gmp  (as  well  as  all  software  from  the  Free  Software  Foun¬ 
dation)  by  anonymous  ftp  on  prep .  ai .  mit .  edu. 

The  three  multi-precision  systems  named  Calc  can  all  be  obtained  by 
anonymous  ftp:  the  GNU  calculator  (written  and  maintained  by  Dave  Gille¬ 
spie,  e-mail  davegQcsvaoc.cs.caltech.edu,  256-80  Caltech,  Pasadena,  CA 
91125)  from  csvax.cs.caltech.edu,  the  calculator  of  Hans- J.  Boehm  from 
arisia.xerox.com  and  the  calculator  of  Timothy  C.  Frenz  (5361  Amalfi 
Drive,  Clay,  NY  13041)  from  the  site  wuarchive.wustl.edu. 

Finally,  you  can  obtain  Pari  by  anonymous  ftp  from  the  sites 
megrez.ceremab.u-bordeaux.fr,  ftp.inria.fr  and  math.ucla.edu. 


Internet  addresses  and  numbers  for  ftp 


arisia . xerox . com 

13.1.64.94 

Boehm-Calc 

csvax . cs . caltech . edu 

131.215.131.131 

GNU  Calc 

dione . rz . uni-osnabrueck . de 

131.173.128.15 

Numbers 

ftp. math . tu-ber 1 in . de 

130.149.12.72 

Kant 

ftp . math . uni-sb . de 

134.96.32.23 

Simath 

math.ucla.edu 

128.97.4.254 

Pari 

megrez . ceremab . u-bordeaux . f r 

147.210.16.17 

Pari 

prep . ai . mit . edu 

18.71.0.38 

Gmp 

rascal . ics . utexas . edu 

128.83.138.20 

Maxima 

shape .mps . ohio-state . edu 

128.146.110.30 

Ubasic 

wuarchive . wustl . edu 

128.252.135.4 

Most  packages 

Appendix  B 

Some  Useful  Tables 


In  this  appendix,  we  give  five  short  tables  which  may  be  useful  as  basic  data 
on  which  to  work  in  algebraic  number  fields  and  on  elliptic  curves.  The  first 
two  tables  deal  with  quadratic  fields  and  can  be  found  in  many  places. 

The  third  and  fourth  table  give  the  corresponding  tables  for  complex  and 
totally  real  cubic  fields  respectively,  and  have  been  produced  by  M.  Olivier 
using  the  method  explained  in  Section  6.4.1  and  the  KANT  package  (see 
Appendix  A). 

The  fifth  table  is  a  short  table  of  elliptic  curves  extracted  from  [LN476] 
and  [Cre]. 

I  give  here  a  list  of  references  to  the  main  tables  that  I  am  aware  of.  Not 
included  are  tables  which  have  been  superseded,  and  also  papers  containing 
only  a  few  of  the  smallest  number  fields. 

For  quadratic  fields  see  [Buel]  and  [Ten-Wil]. 

For  cubic  fields  see  [Enn-Turl],  [Enn-Tur2],  [Gras],  [Ang],  [Sha-Wil]  and 
[Ten-Wil]. 

For  quartic  fields  see  [Ford3],  [Buc-Ford]  and  [BFP]. 

For  quintic  fields  see  [Diaz]  and  [SPD]. 

For  sextic  fields  see  [01i3],  [0114] ,  [01i5]  and  [01i6]. 

Finally,  for  an  extensive  table  of  elliptic  curves  see  Cremona’s  book  [Cre] . 


B.l  Table  of  Class  Numbers  of  Complex  Quadratic 
Fields 

Recall  that  the  group  of  units  of  complex  quadratic  fields  is  equal  to  ±1  except 
when  the  discriminant  is  equal  to  —3  or  —4  in  which  case  it  is  equal  to  the 
group  of  sixth  or  fourth  roots  of  unity  respectively. 

The  following  table  list  triples  (d,h(d),  H(—d))  where  d  is  negative  and 
congruent  to  0  or  1  modulo  4,  h(d)  is  the  class  number  of  the  quadratic  order  of 
discriminant  d,  and  H(—d )  is  the  Hurwitz  class  number  of  discriminant  d  (see 
Definition  5.3.6).  Note  that  h(d)  =  H(—d )  if  and  only  if  d  is  a  fundamental 
discriminant,  that  H(—d)  has  a  denominator  equal  to  2  (resp.  3)  if  and  only 
if  d  is  of  the  form  — 4/2  (resp.  —3 f2)  and  otherwise  is  an  integer. 


514 

(-3, 1,1/3) 

(-4, 1,1/2) 

(-11,1,1) 

(-12,1,4/3) 

(-19,1,1) 

(-20,2,2) 

(-27,1,4/3) 

(-28,1,2) 

(-35,2,2) 

(-36,2,5/2) 

(-43,1,1) 

(-44,3,4) 

(-51,2,2) 

(-52,2,2) 

(-59,3,3) 

(-60,2,4) 

(-67,1,1) 

(-68,4,4) 

(-75,2,7/3) 

(-76,3,4) 

(-83,3,3) 

(-84,4,4) 

(-91,2,2) 

(-92,3,6) 

(-99,2,3) 

(-100,2,5/2) 

(-107,3,3) 

(-108,3,16/3) 

(-115,2,2) 

(-116,6,6) 

(-123,2,2) 

(-124,3,6) 

(-131,5,5) 

(-132,4,4) 

(-139,3,3) 

(-140,6,8) 

(-147,2,7/3) 

(-148,2,2) 

(-155,4,4) 

(-156,4,8) 

(-163,1,1) 

(-164,8,8) 

(-171,4,5) 

(-172,3,4) 

(-179,5,5) 

(-180,4,6) 

(-187,2,2) 

(-188,5,10) 

(-195,4,4) 

(-196,4,9/2) 

(-203,4,4) 

(-204,6,8) 

(-211,3,3) 

(-212,6,6) 

(-219,4,4) 

(-220,4,8) 

(-227,5,5) 

(-228,4,4) 

(-235,2,2) 

(-236,9,12) 

(-243,3,13/3) 

(-244,6,6) 

(-251,7,7) 

(-252,4,10) 

(-259,4,4) 

(-260,8,8) 

(-267,2,2) 

(-268,3,4) 

(-275,4,5) 

(-276,8,8) 

(-283,3,3) 

(-284,7,14) 

(-291,4,4) 

(-292,4,4) 

(-299,8,8) 

(-300,6,28/3) 

(—307,3,3) 

(-308,8,8) 

(-315,4,6) 

(-316,5,10) 

(-323,4,4) 

(-324,6,17/2) 

(-331,3,3) 

(-332,9,12) 

(-339,6,6) 

(-340,4,4) 

(-347,5,5) 

(-348,6,12) 
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(-7.1,1) 

(-8,1,1) 

(-15,2,2) 

(-16,1,3/2) 

(-23,3,3) 

(-24,2,2) 

(-31,3,3) 

(-32,2,3) 

(-39,4,4) 

(-40,2,2) 

(-47,5,5) 

(-48,2,10/3) 

(-55,4,4) 

(-56,4,4) 

(-63,4,5) 

(-64,2,7/2) 

(-71,7,7) 

(-72,2,3) 

(-79,5,5) 

(-80,4,6) 

(-87,6,6) 

(-88,2,2) 

(-95,8,8) 

(-96,4,6) 

(-103,5,5) 

(-104,6,6) 

(-111,8,8) 

(-112,2,4) 

(-119,10,10) 

(-120,4,4) 

(-127,5,5) 

(-128,4,7) 

(-135,6,8) 

(-136,4,4) 

(-143,10,10) 

(-144,4,15/2) 

(-151,7,7) 

(—152,6,6) 

(-159,10,10) 

(-160,4,6) 

(-167,11,11) 

(-168,4,4) 

(-175,6,7) 

(-176,6,10) 

(-183,8,8) 

(-184,4,4) 

(—191,13,13) 

(—192,4,22/3) 

(-199,9,9) 

(-200,6,7) 

(-207,6,9) 

(-208,4,6) 

(-215,14,14) 

(-216,6,8) 

(-223,7,7)  ' 

(-224,8,12) 

(-231,12,12) 

(-232,2,2) 

(-239,15,15) 

(-240,4,8) 

(-247,6,6) 

(-248,8,8) 

(-255,12,12) 

(-256,4,15/2) 

(—263,13,13) 

(-264,8,8) 

(-271,11,11) 

(-272,8,12) 

(-279,12,15) 

(-280,4,4)' 

(—287,14,14) 

(-288,4,9) 

(-295,8,8) 

(-296,10,10) 

(-303,10,10) 

(-304,6,10) 

(—311,19,19) 

(-312,4,4) 

(—319,10,10) 

(-320,8,14) 

(—327,12,12) 

(-328,4,4) 

(-335,18,18) 

(-336,8,12) 

(-343,7,8) 

(-344,10,10) 

(-351,12,16) 

(-352,4,6) 
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(-355,4,4) 

(-363,4,13/3) 

(-371,8,8) 

(-379,3,3) 

(-387,4,5) 

(-395,8,8) 

(-403,2,2) 

(-411,6,6) 

(-419,9,9) 

(-427,2,2) 

(-435,4,4) 

(-443,5,5) 

(-451,6,6) 

(-459,6,8) 

(-467,7,7) 

(-475,4,5) 

(-483,4,4) 

(-491,9,9) 

(-499,3,3) 


(-356,12,12) 

(-364,6,8) 

(-372,4,4) 

(-380,8,16) 

(-388,4,4) 

(-396,6,12) 

(-404,14,14) 

(—412,5,10) 

(-420,8,8) 

(-428,9,12) 

(—436,6,6) 

(-444,8,16) 

(-452,8,8) 

(-460,6,8) 

(—468,8,10) 

(-476,10,20) 

(-484,6,13/2) 

(-492,6,8) 

(-500,10,12) 


(-359,19,19) 

(-367,9,9) 

(-375,10,12) 

(-383,17,17) 

(-391,14,14) 

(-399,16,16) 

(-407,16,16) 

(-415,10,10) 

(-423,10,15) 

(-431,21,21) 

(-439,15,15) 

(-447,14,14) 

(-455,20,20) 

(-463,7,7) 

(-471,16,16) 

(-479,25,25) 

(-487,7,7) 

(-495,16,20) 

(-503,21,21) 


(-360,8,10) 

(-368,6,12) 

(—376,8,8)' 

(—384,8,14) 

(-392,8,9) 

(-400,4,15/2) 

(-408,4,4) 

(-416,12,18) 

(-424,6,6) 

(-432,6,40/3) 

(-440,12,12) 

(-448,4,8) 

(—456,8,8) 

(—464,12,18) 

(-472,6,6) 

(-480,8,12) 

(-488,10,10) 

(-496,6,12) 

(-504,8,12) 


B.2  Table  of  Class  Numbers  and  Units  of  Real 
Quadratic  Fields 


In  the  following  table  of  real  quadratic  fields  K  we  list  the  following  data 
from  left  to  right:  the  discriminant  d  =  d(K),  the  class  number  h  =  h(K), 
the  regulator  R  =  R(K ),  the  norm  of  the  fundamental  unit  and  finally  the 
fundamental  unit  itself  given  as  a  pair  of  coordinates  (a,  b)  on  the  canonical 
integral  basis  (l,u;)  where  u  =  (1  -F  y/d)/2  if  d  =  1  (mod  4),  uj  =  y/d/ 2  if 
d  =  0  (mod  4). 


d 

h 

R 

AT(c) 

€ 

5 

1 

0.4812 

-1 

(0,1) 

8 

1 

0.8814 

-1 

(1,1) 

12 

1 

1.317 

1 

(2,1) 

13 

1 

1.195 

-1 

(1,1) 

17 

1 

2.095 

-1 

(3,2) 

21 

1 

1.567 

1 

(2,1) 

24 

1 

2.292 

1 

(5,2) 

28 

1 

2.769 

1 

(8,3) 

29 

1 

1.647 

-1 

(2,1) 

33 

1 

3.828 

1 

(19,8) 

37 

1 

2.492 

-1 

(5,2) 
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40 

2 

1.818 

-1 

(3,1) 

41 

1 

4.159 

-1 

(27,10) 

44 

1 

2.993 

1 

(10,3) 

53 

1 

1.966 

-1 

(3.1) 

56 

1 

3.400 

1 

(15,4) 

57 

1 

5.710 

1 

(131,40) 

60 

2 

2.063 

1 

(4,1) 

61 

1 

3.664 

-1 

(17,5) 

65 

2 

2.776 

-1 

(7,2) 

69 

1 

3.217 

1 

(11,3) 

73 

1 

7.667 

-1 

(943,250) 

76 

1 

5.829 

1 

(170,39) 

77 

1 

2.185 

1 

(4,1) 

85 

2 

2.209 

-1 

(4,1) 

88 

1 

5.976 

1 

(197,42) 

89 

1 

6.908 

-1 

(447,106) 

92 

1 

3.871 

1 

(24,5) 

93 

1 

3.366 

1 

(13,3) 

97 

1 

9.324 

-1 

(5035,1138) 

101 

1 

2.998 

-1 

(9,2) 

104 

2 

2.312 

-1 

(5,1) 

105 

2 

4.407 

1 

(37,8) 

109 

1 

5.565 

-1 

(118,25) 

113 

1 

7.347 

-1 

(703,146) 

120 

2 

3.089 

1 

(11,2) 

124 

1 

8.020 

1 

(1520,273) 

129 

1 

10.43 

1 

(15371,2968) 

133 

1 

5.153 

1 

(79,15) 

136 

2 

4.248 

1 

(35,6) 

137 

1 

8.157 

-1 

(1595,298) 

140 

2 

2.478 

1 

(6,1) 

141 

1 

5.247 

1 

(87,16) 

145 

4 

3.180 

-1 

(11,2) 

149 

1 

4.111 

-1 

(28,5) 

152 

1 

4.304 

1 

(37,6) 

156 

2 

3.912 

1 

(25,4) 

157 

1 

5.361 

-1 

(98,17) 

161 

1 

10.07 

1 

(10847,1856) 

165 

2 

2.559 

1 

(6,1) 

168 

2 

3.257 

1 

(13,2) 

172 

1 

8.849 

1 

(3482,531) 

173 

1 

2.571 

-1 

(6,1) 

177 

1 

11.73 

1 

(57731,9384) 

181 

1 

7.174 

-1 

(604,97) 

184 

1 

10.79 

1 

(24335,3588) 
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185 

2 

4.913 

-1 

(63,10) 

188 

1 

4.564 

1 

(48,7) 

193 

1 

15.08 

-1 

(1637147,253970) 

197 

1 

3.333 

-1 

(13,2) 

201 

1 

13.85 

1 

(478763,72664) 

204 

2 

4.605 

1 

(50,7) 

205 

2 

3.761 

1 

(20,3) 

209 

1 

11.44 

1 

(43331,6440) 

213 

1 

4.290 

1 

(34,5) 

217 

1 

15.86 

1 

(3583111,521904) 

(89,12) 

220 

2 

5.182 

1 

221 

2 

2.704 

1 

(7,1) 

229 

3 

2.712 

-1 

(7,1) 

232 

2 

5.288 

-1 

(99,13) 

233 

1 

10.74 

-1 

(21639,3034) 

236 

1 

6.966 

1 

(530,69) 

237 

1 

4.344 

1 

(36,5) 

(66436843,9148450) 

241 

1 

18.77 

-1 

248 

1 

4.836 

1 

(63,8) 

249 

1 

16.66 

1 

(8011739,1084152) 

253 

1 

7.529 

1 

(872,117) 

257 

3 

3.467 

-1 

(15,2) 

264 

2 

4.867 

1 

(65,8) 

265 

2 

9.405 

-1 

(5699,746) 

(48842,5967) 

268 

1 

11.49 

1 

269 

1 

5.100 

-1 

(77,10) 

273 

2 

7.282 

1 

(683,88) 

277 

1 

7.868 

-1 

(1228,157) 

280 

2 

6.219 

1 

(251,30) 

281 

1 

14.57 

-1 

(1000087,126890) 

284 

1 

8.848 

1 

(3480,413) 

285 

2 

2.830 

1 

(8,1) 

293 

1 

2.837 

-1 

(8,1) 

296 

2 

4.454 

-1 

(43,5) 

301 

1 

10.03 

1 

(10717,1311) 

305 

2 

6.886 

1 

(461,56) 

309 

1 

8.526 

1 

(2379,287) 

312 

2 

4.663 

1 

(53,6) 

313 

1 

19.35 

-1 

(119691683,1434137 

316 

3 

5.075 

1 

(80,9) 

317 

1 

4.489 

-1 

(42,5) 

321 

3 

6.064 

1 

(203,24) 

328 

4 

2.893 

-1 

(9,1) 

329 

1 

15.37 

1 

(2245399,262032) 

332 

1 

5.100 

1 

(82,9) 
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337 

1 

21.43 

-1 

341 

1 

5.624 

1 

344 

1 

9.943 

1 

345 

2 

9.512 

1 

348 

2 

4.025 

1 

349 

1 

9.821 

-1 

353 

1 

11.87 

-1 

357 

2 

2.942 

1 

364 

2 

8.055 

1 

365 

2 

2.947 

-1 

373 

1 

9.234 

-1 

376 

1 

15.27 

1 

377 

2 

6.144 

1 

380 

2 

4.357 

1 

381 

1 

7.616 

1 

385 

2 

12.16 

1 

389 

1 

7.849 

-1 

393 

1 

18.35 

1 

397 

1 

8.145 

-1 

401 

5 

3.690 

-1 

408 

2 

5.308 

1 

409 

1 

26.13 

-1 

412 

1 

13.03 

1 

413 

1 

4.111 

1 

417 

1 

18.96 

1 

421 

1 

13.01 

-1 

424 

2 

8.988 

-1 

428 

1 

7.562 

1 

429 

2 

4.977 

1 

433 

1 

23.39 

-1 

437 

1 

3.042 

1 

440 

2 

3.737 

1 

444 

2 

6.380 

1 

445 

4 

3.047 

-1 

449 

1 

19.75 

-1 

453 

1 

5.004 

1 

456 

2 

7.626 

1 

457 

1 

25.50 

-1 

460 

2 

7.720 

1 

461 

1 

5.900 

-1 

465 

2 

10.37 

1 

469 

3 

4.174 

1 

472 

1 

13.33 

1 

473 

3 

5.159 

1 

476 

2 

5.481 

1 

(960491695,110671282) 

(131,15) 

(10405,1122) 

(6397,728) 

(28.3) 

(8717,986) 

(67471,7586) 

(9,1) 

(1574,165) 

(9.1) 

(4853,530) 

(2143295,221064) 

(221,24) 

(39.4) 

(963,104) 

(90947,9768) 

(1217,130) 

(44094699,4684888) 

(1637,173) 

(19.2) 

(101,10) 

(106387620283,11068353370) 

(227528,22419) 

(29.3) 

(81144379,8356536) 

(211627,21685) 

(4005,389) 

(962,93) 

(69.7)  ' 

(6883177307,694966754) 

(10.1) 

(21,2) 

(295,28) 

(10,1) 

(180529627,17883410) 

(71.7) 

(1025,96) 

(56325840235,5528222698) 

(1126,105) 

(174,17) 

(15135,1472) 

(31.3) 

(306917,28254) 

(83.8) 

(120,11) 


B.3  Table  of  Class  Numbers  and  Units  of  Complex  Cubic  Fields 


519 


481 

2 

14.47 

-1 

(920179,87922) 

485 

2 

3.785 

-1 

(21,2) 

488 

2 

3.093 

-1 

(11,1) 

489 

1 

23.44 

1 

(7249279379,686701192) 

492 

2 

5.497 

1 

(122,11) 

493 

2 

4.710 

-1 

(53,5) 

497 

1 

14.69 

1 

(1147975,107824) 

B.3  Table  of  Class  Numbers  and  Units  of  Complex 
Cubic  Fields 


Any  number  field  can  be  defined  as  K  =  Q[a]  where  a  is  a  primitive  algebraic 
integer  (see  Section  10.5.2),  and  we  will  denote  by  A(X)  the  minimal  monic 
polynomial  of  a.  We  will  choose  A  so  that  the  index  /  =  [Z k  '■  Z[a]]  is  as 
small  as  possible  and  with  small  coefficients  (hence  A  will  not  always  be  the 
pseudo-canonical  polynomial  given  by  Algorithm  4.4.12).  The  choice  of  the 
particular  polynomials  A  which  we  will  give  is  therefore  not  at  all  canonical. 

Let  now  K  be  a  cubic  field.  Since  we  have  chosen  a  primitive,  there  exists 
an  integral  basis  of  the  form  (1,  a,  (3).  Furthermore  any  cubic  field  has  at  least 
one  real  embedding  hence  the  set  of  roots  of  unity  is  always  equal  to  ±1.  On 
the  other  hand  complex  cubic  fields  have  unit  rank  equal  to  1,  while  real  cubic 
fields  have  unit  rank  equal  to  2.  Since  the  norm  of  —1  is  equal  to  —1,  there  is 
no  such  thing  as  the  sign  of  the  norm  of  fundamental  units. 

The  following  is  a  table  of  the  first  hundred  complex  cubic  fields.  For 
each  field  K  we  give  the  following  data  from  left  to  right:  the  discriminant 
d  =  d(K),  the  index  /  =  [Z k  '■  Z[a:]],  the  polynomial  A,  the  third  element 
/ 3  of  an  integral  basis  (l,a,  /?),  the  class  number  h  =  h(K),  the  regulator 
R  =  R(K )  and  the  fundamental  unit  e  expressed  on  the  integral  basis  (for 
example  (2, 3, 1)  means  2  +  3 a  +  (3).  Since  the  signature  of  K  is  equal  to  (1, 1), 
the  Galois  group  of  the  Galois  closure  of  K  is  always  equal  to  the  symmetric 
group  S3. 


d 

/ 

A 

0 

h 

R 

€ 

-23 

1 

X3  +  X2  -  1 

a2 

1 

0.2812 

(0,1,1) 

-31 

1 

X3  -  X2  -  1 

a2 

1 

0.3822 

(0,1,0) 

-44 

1 

X3  -X2  -X  -1 

a2 

1 

0.6094 

(0,1,0) 

-59 

1 

X3  +  2X  -  1 

a2 

1 

0.7910 

(2,0,1) 

-76 

1 

X3  -  2X  -  2 

a2 

1 

1.019 

(1,1,0) 

-83 

1 

X3  -  X2  +  X  -  2 

a2 

1 

1.041 

(1,0,1) 

-87 

1 

X3  +  X2  +  2X  -  1 

az 

1 

0.9348 

(2,1,1) 

-104 

1 

X3  -  X  -  2 

a2 

1 

1.576 

(1,1,1) 

-107 

1 

X3  -  X2  +  3X  -  2 

a2 

1 

1.256 

(3,0,1) 

-108 

1 

X3  -2 

a2 

1 

1.347 

(1,1,1) 
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-116 

1 

X3  -X2- 2 

a2 

i 

1.718 

(1,1,1) 

135 

1 

X3  +  3X  -  1 

a2 

i 

1.133 

(3,0,1) 

139 

1 

X3  +  X2  +  X  -  2 

a2 

i 

1.664 

(3,2,1) 

140 

1 

X3  +  2X  -2 

a2 

i 

1.474 

(3,1,1) 

152 

1 

X3  -  X2  -2X  -2 

a2 

i 

2.131 

(-1,-1, -1) 

172 

1 

X3  +  X2  -  X  -  3 

a2 

i 

1.882 

(-2, -2,-1) 

175 

1 

X3  -X2  +  2X  -3 

a2 

i 

1.289 

(2,0,1) 

199 

1 

X3  -  X2  +  4X  -  1 

a2 

i 

1.337 

(4, -1,1) 

200 

1 

X3  +  X2  +  2X  -  2 

a 2 

i 

2.604 

(9,5,3) 

204 

1 

X3  -  X2  +  X  -  3 

a2 

i 

2.355 

(4,1,2) 

211 

1 

X3  -2X  -3 

a2 

i 

2.238 

(-2, -2,-1) 

212 

1 

X3  -  X2  +  4X  -  2 

a2 

i 

2.713 

(-15, 2,-4) 

216 

1 

X3  +3X- 2 

a2 

i 

3.024 

(-17, -3, -5) 

231 

1 

X3  +  X2  -  3 

a2 

i 

1.745 

(2,2,1) 

239 

1 

X3  -X -3 

a2 

i 

2.097 

(2,2,1) 

243 

1 

X3  -3 

a 2 

i 

2.525 

(4,3,2) 

244 

1 

X3  +  X2  -  AX  -  6 

a2 

i 

3.303 

(5,6,2) 

247 

1 

X3  +  X  -  3 

a2 

i 

1.545 

(2,1,1) 

255 

1 

X3  -X2  -3 

a 2 

i 

1.993 

(-2, -1,-1) 

268 

1 

X3  +  X2  -  3X  -  5 

a2 

i 

2.521 

(3,3,1) 

283 

1 

X3  +4X  -1 

a2 

2 

1.401 

(4,0,1) 

300 

1 

X3  -X2  -3X  -3 

a2 

1 

3.149 

(2,3,2) 

307 

1 

X3  +  X2  +  3X  -  2 

a2 

1 

2.958 

(-15, -6, -4) 

324 

1 

X3  -  3X  -  4 

a2 

1 

4.048 

(-9, -11, -5) 

327 

1 

X3  -  X2  -  2X  -  3 

a2 

1 

2.199 

(1,1,1) 

331 

1 

X3  -X2  +  3X  -4 

a2 

2 

1.503 

(3,0,1) 

335 

1 

X3  +  X2  +  4X  -  1 

a2 

1 

1.456 

(4,1,1) 

339 

1 

X3  +  X2-X  -4 

a2 

1 

3.546 

(11,10,4) 

351 

1 

X3  +3X  -3 

a2 

1 

1.702 

(-4, -1,-1) 

356 

2 

X3  -  X2  +  4X  -  8 

(a -fa2)/ 2 

1 

3.755 

(-25,2,-10) 

364 

1 

X3+4X  -2 

a2 

1 

2.936 

(17,2,4) 

367 

1 

X3  +  X2  +  2X  -  3 

a2 

1 

1.856 

(4,2,1) 

379 

1 

X3  -  X2  +  X  -  4 

a2 

1 

3.273 

(9,3,4) 

411 

1 

X3  -  X2  +  5X  -  2 

a2 

1 

4.029 

(57,-7,12) 

419 

1 

X3  -  4X  -  5 

a2 

1 

3.345 

(-4, -5, -2) 

424 

2 

X3  -2X  -8 

a2 12 

1 

4.859 

(31,21,18) 

431 

2 

X3  -X  -8 

(a  +  a2)/ 2 

1 

6.155 

(133,42,72) 

436 

1 

X3  +  X  -4 

a2 

1 

4.948 

(-61,-29,-21) 

439 

1 

X3  +  X2  -  2X  -  5 

a2 

1 

2.430 

(3,3,1) 

440 

2 

X3  +  2X  -8 

a2/ 2 

1 

4.534 

(-43,-15,-18) 

451 

1 

X3  +  X2  -  5X  -  8 

a2 

1 

3.576 

(-7, -7, -2) 

459 

1 

X3  -6X  -7 

a2 

1 

3.669 

(-5, -6, -2) 

460 

1 

X3  -  X2  +  5X  -  3 

a2 

1 

3.671 

(38, -3, 8) 

472 

1 

X3  -  5X  -  6 

a2 

1 

5.380 

(29,35,13) 

484 

1 

X3  +  X2  +  4X  -2 

a2 

1 

5.303 

(171,53,37) 

491 

1 

X3  +  X2  +  X  -  4 

a2 

2 

1.891 

(3,2,1) 

492 

1 

X3  +  X2  +  3X  -3 

a2 

1 

4.421 

(59,24,14) 

499 

1 

X3+4X  -3 

a2 

1 

3.874 

(-40, -6, -9) 

503 

2 

X3  -X2  -2X  -8 

(a  +  a2)/ 2 

1 

7.027 

(-211,-56,-146) 

515 

1 

X3  -X2  -X  -4 

a2 

1 

3.646 

(-7, -5, -4) 

516 

2 

X3  -X2  -4X  -8 

(a  +  a2)/ 2 

1 

6.385 

(-81,-35,-63) 

519 

1 

X3+X2-4X  -7 

a2 

1 

2.681 

(3,3,1) 

524 

1 

X3  -  X2  +  3X  -  5 

a2 

1 

3.422 

(18,2,5) 

527 

1 

X3  +  5X  -  1 

a2 

1 

1.617 

(5,0,1) 
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-543 

1 

X3  -X2  +  2X -5 

a2 

1 

3.013 

(-9, -2, -3) 

-547 

1 

X3  -  X2  -  3X  -  4 

a2 

1 

4.367 

(9,10,6) 

-563 

1 

X3  -  X2  +  5X  -  4 

a2 

2 

1.737 

(5,0,1) 

-567 

1 

X3  -  3X  -  5 

a2 

1 

2.464 

(-2, -2,-1) 

-588 

1 

X3  +  X2  +  5X  -  1 

a2 

3 

1.654 

(5,1,1) 

-620 

1 

X3  -  X2  -  5X  -  5 

a2 

1 

3.553 

(3,4,2) 

-628 

2 

X3  +  X2  —  3X  —  11 

(l  +  a2)/2 

1 

6.494 

(-138,-123,-74) 

-643 

1 

X3  -  2X  -  5 

a2 

2 

2.359 

(2,2,1) 

-648 

2 

X3  -  3X  -  10 

(a  +  a2)/2 

3 

2.234 

(2,1,1) 

-652 

1 

X3  -  8X  -  10 

a2 

1 

4.320 

(-11,0,1) 

-655 

1 

X3  +  X2  -  5 

a2 

1 

2.906 

(-7, -5, -2) 

-671 

1 

X3  -  X  -  5 

a2 

1 

2.345 

(-3, -2,-1) 

-675 

1 

X3  -  5 

a2 

1 

4.812 

(-41,-24,-14) 

-676 

2 

X3  +  X2  -  4X  -  12 

(a  +  a2)/ 2 

3 

2.186 

(2,1,1) 

-679 

1 

X3  +  X  -  5 

a2 

1 

3.443 

(13,6,4) 

-680 

1 

X3  +  X2  -  6X  -  10 

a2 

1 

6.071 

(-79,-77,-21) 

-687 

1 

X3  +  X2  +  4X  -  3 

a2 

1 

3.455 

(-25, -8, -5) 

-695 

1 

X3  -  X2  -  5 

a2 

1 

2.151 

(2,1,1) 

-696 

1 

X3  +  X2  -  2X  -  6 

a2 

1 

7.810 

(-673,-589,-207) 

-707 

1 

X3  +  2X  -  5 

a2 

1 

4.187 

(34,12,9) 

-716 

1 

X3  -  4X  -  6 

a2 

1 

6.405 

(-95,-101,-40) 

-728 

1 

X3  -  X2  +  6X  -  2 

a2 

1 

6.052 

(-433,49,-75) 

-731 

1 

X3  +  X2  +  3X  -  4 

a2 

2 

2.013 

(-5, -2,-1) 

-743 

1 

X3  +  5X  -  3 

a2 

1 

4.556 

(-85, -9, -16) 

-744 

1 

X3  -  X2  -  6X  -  6 

a2 

1 

8.294 

(-347,-451,-193) 

-748 

1 

X3  +  X2  +  X  -  5 

a2 

1 

4.532 

(-43,-25,-11) 

-751 

1 

X3  -  X2  +  6X  -  1 

a2 

2 

1.768 

(6, -1,1) 

-755 

1 

X3  +  X2  +  5X  -  2 

a2 

1 

4.904 

(121,30,22) 

-756 

2 

X3  +  9X  -  2 

(a  +  a2)/ 2 

1 

7.107 

(1208,-104,267) 

-759 

1 

X3  -  X2  +  6X  -  3 

a2 

1 

3.137 

(23, -2, 4) 

-771 

1 

X3  -  X2  +  3X  -  6 

a2 

1 

6.140 

(-251,-36,-65) 

-780 

1 

X3  -  X2  -  X  -  5 

a2 

1 

6.159 

(94,59,44) 

-804 

1 

X3  -  X2  +  4X  -  6 

a2 

1 

8.571 

(-3499,-270,-784) 

-808 

1 

X3  -  X2  +  2X  -  6 

a2 

1 

7.625 

(-875,-201,-259) 

-812 

1 

X3  -  X2  -  7X  -  7 

a2 

1 

3.844 

(4,5,2) 

-815 

1 

X3  -  7X  -  9 

a2 

1 

5.064 

(20,22,7) 

B.4  Table  of  Class  Numbers  and  Units  of  Totally  Real 
Cubic  Fields 

The  following  is  a  table  of  the  first  hundred  totally  real  cubic  fields.  We  give  the 
following  data  from  left  to  right:  the  discriminant  d(K ),  the  index  [Z#  :  Z [a]], 
the  polynomial  A(X),  the  third  element  (3  of  an  integral  basis  (l,o:, /?),  the 
class  number  h{K),  the  regulator  R(K )  and  a  pair  of  fundamental  units  ei 
and  e2  expressed  on  the  integral  basis  (1  ,a,(3).  The  Galois  group  of  the  Galois 
closure  of  K  is  equal  to  S3  except  for  the  fields  whose  discriminant  is  marked 
with  an  asterisk,  which  are  cyclic  cubic  fields,  i.e.  with  Galois  group  equal  to 

C3. 
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d 

/ 

A 

0 

h 

R 

ei 

C2 

49* 

1 

X3  +  X2  -  2X  -  1 

a2 

1 

0.5255 

(2, 0,-1) 

81* 

1 

X3  -3X  -1 

a2 

1 

0.8493 

(2, 1,-1) 

(0-1,0) 

148 

1 

X3  +  X2  -  3X  -  1 

a2 

1 

1.662 

(0,1,0) 

(2, 0,-1) 

169* 

1 

X3  -  X2  -  4X  -  l 

a2 

1 

1.365 

(2, 2,-1) 

(0.-1.0) 

229 

1 

X3  -4X-1 

a2 

1 

2.355 

(0,1,0) 

(2,1,0) 

257 

1 

X3  -  5X  -  3 

a2 

1 

1.975 

(4, 1,-1) 

(5, 1,-1) 

316 

1 

X3  +X2  -4X  -2 

a2 

1 

3.913 

(-3,1,1) 

(-5,1,1) 

321 

1 

X3  +  X2  -  4X  -  1 

a2 

1 

2.569 

(0,-1, o) 

(-1,2,1) 

361* 

1 

X3  +  X2  -6X  -7 

a2 

1 

1.952 

(4, 1,-1) 

(5, 0,-1) 

404 

1 

X3  -  X2  -  5X  -  1 

a 2 

1 

3.760 

(0,-l,0) 

(1.-1, -1) 

469 

1 

X3  +  X2  -5X  -4 

a2 

1 

3.853 

(-1,-1,0) 

(-1,2,1) 

473 

1 

X3  -  5X  -  1 

or 

1 

2.843 

(0,-l,0) 

(-2, -1,0) 

564 

1 

X3  +X2  -5X  -3 

a2 

1 

5.403 

(-2,1,0) 

(-1,-1, 1) 

568 

1 

X3  -  X2  -  6X  -  2 

a2 

1 

6.087 

(-5, -1,1) 

(-7, -4, 2) 

621 

1 

X3  -6X- 3 

a2 

1 

5.400 

(-2, -1,0) 

(1,2,0) 

697 

1 

X3  -  X2  -  8X  -  5 

a2 

1 

2.712 

(6, 2,-1) 

(7, 2,-1) 

733 

1 

X3  +  X2  -7X  -8 

a2 

1 

5.309 

(1,1,0) 

(-5, -2,0) 

756 

1 

X3  -  6X  -  2 

a2 

1 

5.692 

(5, 0,-1) 

(11, 1,-2) 

761 

1 

X3  -X2  -6X  -1 

a2 

1 

3.526 

(0,1,0) 

(2,1,0) 

785 

1 

X3  +  X2  -  6X  -  5 

a2 

1 

4.098 

(1,1,0) 

(-4,1,1) 

788 

1 

X3  -  X2  -  7X  -  3 

a2 

1 

5.987 

(2,1,0) 

(-1  ,-2,0) 

837 

1 

X3  -  6X  -  1 

a2 

1 

6.801 

(0.-1.0) 

(-3, -6, -2) 

892 

1 

X3  +  X2-8X-  10 

a2 

1 

8.323 

(3, 1,-1) 

(1,3,1) 

940 

1 

X3  -7X  -4 

a2 

1 

8.908 

(-11, -2, 2) 

(-3,1,1) 

961* 

2 

X3  +  X2  -  10X  -  8 

(a2  +  a)/2 

1 

12.20 

(-1,2,2) 

(3, 4, -2) 

985 

1 

X3  +  X2  -  6X  -  1 

a2 

1 

3.724 

(0,1,0) 

(-2,1,0) 

993 

1 

X3  +  X2  -6X- 3 

a2 

1 

5.555 

(5, -1,-1) 

(5,0-1) 

1016 

1 

X3  +  X2  -6X  -2 

a2 

1 

10.13 

(7, -1,-1) 

(-11-1,1) 

1076 

1 

X3  -  8X  -  6 

a2 

1 

6.932 

(1,1,0) 

(-7, -3,0) 

1101 

1 

X3  +  X2  -  9X  -  12 

a2 

1 

9.184 

(5, 2,-1) 

(-7, -4, 2) 

1129 

1 

X3  -7X  -3 

a2 

1 

6.728 

(-8,0,1) 

(1.2.-1) 

1229 

1 

X3  +  X2  -  7X  -  6 

a2 

1 

8.232 

(-i,-i,o) 

(11,15,4) 

1257 

1 

X3  +  X2  -8X  -9 

a2 

1 

6.197 

(-i,-i,o) 

(2, -2,-1) 

1300 

1 

X3  -  10X  -  10 

a2 

1 

6.550 

(-1.-1.0) 

(-1,2,1) 

1304 

2 

X3  -X2  -  nx  -  1 

(a2  +  l)/2 

1 

11.93 

(0.-1.0) 

(-5,14,10) 

1345 

1 

X3  -  7X  -  1 

a2 

1 

4.923 

(0,1,0) 

(2, 2,-1) 

1369* 

1 

X3  -X2  -  12X  -  11 

a2 

1 

3.126 

(6, 3,-1) 

(9, 2,-1) 

1373 

1 

X3  -  8X  -  5 

a2 

1 

9.423 

(-6,0,1) 

(-13, -2, 2) 

1384 

1 

X3  +  X2  -  10X  -  14 

a2 

1 

10.38 

(-3, -2,0) 

(-5,1,1) 

1396 

1 

X3  +  X2  -7X  -5 

a2 

1 

8.146 

(-8,0,1) 

(-9,1,1) 

1425 

1 

X3  -X2  -8X  -3 

a2 

1 

6.676 

(-2, -1,0) 

(1,2, -1) 

1436 

1 

X3  -  nx  -  12 

a2 

1 

12.70 

(5,2,0) 

(-11, -6, 2) 

1489 

1 

X3  +  X2  -  12X  -  19 

a2 

1 

3.361 

(10, 1,-1) 

(11, 1,-1) 

1492 

1 

X3  -X2  -9X  -5 

a2 

1 

7.646 

(-2, -1,0) 

(-1.-1.1) 

1509 

1 

X3  +  X2-7X  -4 

a2 

1 

11.30 

(3,1,0) 

(-3, -6,-1) 

1524 

1 

X3  +  X2  -  7X  -  1 

a2 

1 

10.45 

(0,1,0) 

(-6, -11, 6) 

1556 

1 

X3  +  X2  -9X  -  11 

a2 

1 

8.376 

(8, 0,-1) 

(19, 0,-2) 

1573 

1 

X3  +  X2  -7X  -2 

a2 

1 

8.445 

(-3, -1,0) 

(1,4,1) 

1593 

1 

X3  -9X  -7 

a2 

1 

6.331 

(1,1,0) 

(5,2,0) 

1620 

1 

X3  -  12X  -  14 

a2 

1 

10.17 

(9, 1,-1) 

(5,5,1) 

1708 

1 

X3  -X2  -8X  -2 

a2 

1 

12.87 

(7, 1,-1) 

(-29, -9, 5) 

1765 

1 

X3  +  X2  -  l\X  -  16 

a2 

1 

9.445 

(-3, -1,0) 

(-7, -6,-1) 
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1772 

2 

X3  -  14X  -  12 

a2/ 2 

1 

15.37 

(-1.-1.0) 

(-23,-36,-18) 

1825 

1 

X3  +  X2  -  8X  -  7 

a2 

1 

4.488 

(1,1,0) 

(3,1,0) 

1849* 

2 

X3  -  X2  -  14X  -  8 

(a2 

+  a)/2 

1 

18.92 

(-9,2,0) 

(-17-4,2) 

1901 

1 

X3  -  X2  -  9X  -  4 

a2 

1 

10.66 

(-1.-2.0) 

(-5,0,1) 

1929 

1 

X3  +  X2  -  10X  -  13 

a2 

1 

8.218 

(3,1,0) 

(5,5,1) 

1937 

1 

X3  -  X2  -  8X  -  1 

a2 

1 

6.542 

(0,-l,0) 

(-3,1,1) 

1940 

1 

X3  -  8X  -  2 

a2 

1 

11.09 

(3, -1,0) 

(39, 1,-5) 

1944 

1 

X3  -  9X  -  6 

OLZ 

1 

15.60 

(1.3.-1) 

(-1,0,2) 

1957 

1 

X3  +  X2  -  9X  -  10 

a2 

2 

4.551 

(1,1,0) 

(3,1,0) 

2021 

1 

X3  -  8X  -  1 

a2 

1 

11.52 

(0.-1.0) 

(-1,-28, -10) 

2024 

1 

X3  -  X2  -  10X  -  6 

a2 

1 

15.77 

(5, 6, -2) 

(-11-9,3) 

2057 

1 

X3  -  11X  -  11 

a2 

1 

6.782 

(1,1,0) 

(-1,-3, -1) 

2089 

2 

X3  -  13X  -  4 

(a2 

+  a)/2 

1 

20.76 

(-1,-4, 2) 

(-15,4,0) 

2101 

1 

X3  -  X2  -  11X  -8 

a2 

1 

8.543 

(-1.-1.0) 

(15, 2, -2) 

2177 

1 

X3  +  X2  -  8X  -  5 

a2 

1 

7.518 

(-3, -1,0) 

(17, -1,-2) 

2213 

1 

X3  -  X2  -  13X  -  12 

a2 

1 

12.68 

C-i,-i,o) 

(-1,9,4) 

2228 

1 

X3  -  14X  -  18 

a2 

1 

11.09 

(-7,-3, 1) 

(-41,-16,6) 

2233 

1 

X3  +  X2  -  8X  -  1 

a2 

1 

5.523 

(0,1,0) 

(-1,3,1) 

2241 

1 

X3  -  9X  -  5 

a2 

1 

8.264 

(-4,-2, 1) 

(-2,-3, 1) 

2292 

2 

X3  +  X2  -  13X  -  1 

(a2 

+  l)/2 

1 

14.36 

(0,1,0) 

(-4,36,17) 

2296 

1 

X3  -  X2  -  14X  -  14 

a2 

1 

14.27 

(13, 3,-1) 

(-5, -4,0) 

2300 

1 

X3  +  X2  -  8X  -  2 

a2 

1 

18.12 

(5, -2,0) 

(73, -7, -9) 

2349 

1 

X3  -  12X  -  13 

a2 

1 

11.92 

(-4, -2,1) 

(15, 4, -2) 

2429 

1 

X3  -  X2  -  15X  -  16 

a2 

1 

13.28 

(-11, -2,1) 

(85,16,-7) 

2505 

1 

X3  -  X2  -  10X  -  5 

a2 

1 

10.68 

(-2,-3, 1) 

(7,6-2) 

2557 

1 

X3  -  X2  -  9X  -  2 

a2 

1 

10.72 

(-1,2,1) 

(M, -1) 

2589 

2 

X3  +  X2  -  14X  -  12 

(a2 

+  a)/2 

1 

16.29 

(-5, -1,1) 

(31,38,-20) 

2597 

1 

X3  +  X2  -  9X  -  8 

a2 

3 

4.796 

(1,1,0) 

(-3-1,0) 

2636 

1 

X3  -  X2  -  16X  -  18 

a2 

1 

18.38 

(-5, -2,0) 

(25,13,-3) 

2673 

1 

X3  -  9X  -  3 

a2 

1 

7.760 

(10, 0,-1) 

(-8,0,1) 

2677 

1 

X3  -  10X  -  7 

a2 

1 

11.16 

(-12,0,1) 

(2, 2,-1) 

2700 

1 

X3  -  15X  -  20 

a2 

1 

20.37 

(l.-l.-l) 

(-59,-22,8) 

2708 

1 

X3  -  X2  -  11X  -  7 

a2 

1 

12.95 

(6, 7, -2) 

(9,6-2) 

2713 

1 

X3  -  13X  -  15 

a2 

1 

12.34 

(-13,-2, 1) 

(-17, -4, 2) 

2777 

1 

X3  +  X2  -  14X  -  23 

a2 

2 

3.949 

(-2, -1,0) 

(-3, -1,0) 

2804 

1 

X3  -  X2  -  9X  -  1 

a2 

1 

15.24 

(0,-l,0) 

(10,56,21) 

2808 

1 

X3  -  9X  -  2 

a2 

1 

20.31 

(-1,-9, 3) 

(-1,-4, 2) 

2836 

1 

X3  +  X2  -  9X  -  7 

a2 

1 

9.692 

(10, 0,-1) 

(-17,0,2) 

2857 

1 

X3  +  X2  -  10X  -  11 

a2 

1 

4.870 

(-i,-i,o) 

(-3, -1,0) 

2917 

1 

X3  +  X2  -  13X  -  20 

a2 

1 

11.93 

(3,1,0) 

(13, 6,-1) 

2920 

2 

X3  +  X2  -  16X  -  20 

(a2 

+  a)/2 

1 

17.94 

(-9, -8, 4) 

(-4,-3, 1) 

2941 

1 

X3  -  X2  -  17X  -  20 

a2 

1 

13.72 

(3,2,0) 

(-17,-4, 1) 

2981 

1 

X3  +  X2  -  11X-  14 

a2 

1 

14.63 

(3,1,0) 

(15,10,-1) 

2993 

1 

X3  +  X2  -  12X-  17 

a2 

1 

7.514 

(-3, -1,0) 

(3,2,0) 

3021 

1 

X3  +  X2  -  9X  -  6 

a2 

1 

17.40 

(-5, -4, 2) 

(5,9,2) 

3028 

1 

X3  -  10X  -  6 

a2 

1 

20.35 

(-1,-1,1) 

(5,13,4) 

3124 

2 

X3  -  16X  -  12 

a2/ 2 

1 

19.56 

(-5, -1,1) 

(115,121,-68) 

3132 

2 

X3  -  18X  -  20 

a2  /2 

1 

22.49 

(7,2,0) 

(7,7,2) 
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B.5  Table  of  Elliptic  Curves 

In  the  table  below  we  give  a  table  of  all  modular  elliptic  curves  defined  over  Q 
with  conductor  N  less  than  or  equal  to  44  (up  to  isomorphism).  Recall  that 
according  to  the  Taniyama-Weil  Conjecture  7.3.8,  all  elliptic  curves  defined 
over  Q  are  modular. 

To  every  elliptic  curve  is  attached  quite  a  large  set  of  invariants.  We  refer  to 
[Cre]  for  details  and  a  complete  table.  In  the  following  table,  we  only  give  the 
minimal  Weierstrafi  equation  of  the  curve,  its  rank  and  its  torsion  subgroup. 
The  rank  is  always  equal  to  0  except  in  the  two  cases  N  =  37  (curve  Al)  and 
N  =  43  for  which  it  is  equal  to  1,  and  in  these  two  cases  a  generator  of  the 
group  E(Q)  is  the  point  with  coordinates  (0,0).  The  canonical  height  of  this 
point,  computed  using  Algorithms  7.5.6  and  7.5.7  is  equal  to  0.0255557041 . . . 
for  N  =  37  and  to  0.0314082535 ...  for  JV  =  43. 

The  Kodaira  types  and  the  constants  cp  can  be  found  by  using  Tate’s 
Algorithm  7.5.1.  The  coefficients  ap  of  the  L-series  can  be  computed  using 
Algorithm  7.4.12  or  simply  by  adding  Legendre  symbols  if  p  is  small.  The 
periods  can  be  computed  using  Algorithm  7.4.7.  In  the  limit  of  the  present 
table  the  Tate-Shafarevitch  group  III  is  always  trivial. 

We  follow  the  notations  of  [Cre].  We  give  from  left  to  right:  the  conductor 
N  of  the  curve  E,  an  identifying  label  of  the  curve  among  those  having  the 
same  conductor.  This  label  is  of  the  form  letter-number.  The  letter  (A  or  B) 
denotes  the  isogeny  class,  and  the  number  is  the  ordinal  number  of  the  curve 
in  its  isogeny  class.  Curves  numbered  1  are  the  strong  Weil  curves  (see  [Sil]). 
The  next  5  columns  contain  the  coefficients  oi,  fl2>  «3,  «4  and  a^.  The  last  two 
columns  contain  the  rank  r  and  the  torsion  subgroup  T  of  E(Q)  expressed  as 
t  if  T  ~  Z/tZ  and  as  ti  x  t2  if  T  ~  Z/tiZ  x  Z/^Z. 


N 

ai 

u,2 

U3 

u-4 

UQ 

r 

T 

11 

Al 

0 

-1 

1 

-10 

-20 

0 

5 

11 

A2 

0 

-1 

1 

-7820 

-263580 

0 

1 

11 

A3 

0 

-1 

1 

0 

0 

0 

5 

14 

Al 

1 

0 

1 

4 

-6 

0 

6 

14 

A2 

1 

0 

1 

-36 

-70 

0 

6 

14 

A3 

1 

0 

1 

-171 

-874 

0 

2 

14 

A4 

1 

0 

1 

-1 

0 

0 

6 

14 

A5 

1 

0 

1 

-2731 

-55146 

0 

2 

14 

A6 

1 

0 

1 

-11 

12 

0 

6 

15 

Al 

1 

1 

1 

-10 

-10 

0 

2x4 

15 

A2 

1 

1 

1 

-135 

-660 

0 

2x2 

15 

A3 

1 

1 

1 

-5 

2 

0 

2x4 

15 

A4 

1 

1 

1 

35 

-28 

0 

8 

15 

A5 

1 

1 

1 

-2160 

-39540 

0 

2 
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15 

A6 

1 

1 

1 

-110 

-880 

0 

2 

15 

A7 

1 

1 

1 

-80 

242 

0 

4 

15 

A8 

1 

1 

1 

0 

0 

0 

4 

17 

A1 

1 

-1 

1 

-1 

-14 

0 

4 

17 

A2 

1 

-1 

1 

-6 

-4 

0 

2x2 

17 

A3 

1 

-1 

1 

-91 

-310 

0 

2 

17 

A4 

1 

-1 

1 

-1 

0 

0 

4 

19 

A1 

0 

1 

1 

-9 

-15 

0 

3 

19 

A2 

0 

1 

1 

-769 

-8470 

0 

1 

19 

A3 

0 

1 

1 

1 

0 

0 

3 

20 

A1 

0 

1 

0 

4 

4 

0 

6 

20 

A2 

0 

1 

0 

-1 

0 

0 

6 

20 

A3 

0 

1 

0 

-36 

-140 

0 

2 

20 

A4 

0 

1 

0 

-41 

-116 

0 

2 

21 

A1 

1 

0 

0 

-4 

-1 

0 

2x4 

21 

A2 

1 

0 

0 

-49 

-136 

0 

2x2 

21 

A3 

1 

0 

0 

-39 

90 

0 

8 

21 

A4 

1 

0 

0 

1 

0 

0 

4 

21 

A5 

1 

0 

0 

-784 

-8515 

0 

2 

21 

A6 

1 

0 

0 

-34 

-217 

0 

2 

24 

A1 

0 

-1 

0 

-4 

4 

0 

2x4 

24 

A2 

0 

-1 

0 

-24 

-36 

0 

2x2 

24 

A3 

0 

-1 

0 

-64 

220 

0 

4 

24 

A4 

0 

-1 

0 

1 

0 

0 

4 

24 

A5 

0 

-1 

0 

-384 

-2772 

0 

2 

24 

A6 

0 

-1 

0 

16 

-180 

0 

2 

26 

Al 

1 

0 

1 

-5 

-8 

0 

3 

26 

A2 

1 

0 

1 

-460 

-3830 

0 

1 

26 

A3 

1 

0 

1 

0 

0 

0 

3 

26 

B1 

1 

-1 

1 

-3 

3 

0 

7 

26 

B2 

1 

-1 

1 

-213 

-1257 

0 

1 

27 

Al 

0 

0 

1 

0 

-7 

0 

3 

27 

A2 

0 

0 

1 

-270 

-1708 

0 

1 

27 

A3 

0 
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